Updates from: 08/05/2021 03:09:50
Category Microsoft Docs article Related commit history on GitHub Change details
admin Connect To Gcc Data With Usage Analytics https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/usage-analytics/connect-to-gcc-data-with-usage-analytics.md
+
+ Title: "Connect to Microsoft 365 Government Community Cloud (GCC) data with Usage Analytics"
+f1.keywords:
+- CSH
+++
+audience: Admin
++
+localization_priority: Normal
+
+- M365-subscription-management
+- Adm_O365
+- Adm_TOC
+
+- AdminSurgePortfolio
+- AdminTemplateSet
+search.appverid:
+- BCS160
+- MET150
+- MOE150
+ms.assetid: 9db96e9f-a622-4d5d-b134-09dcace55b6a
+description: "Learn how to connect to data in your Microsoft 365 Government Community Cloud (GCC) tenant by using the Microsoft 365 Usage Analytics template app in Power BI."
++
+# Connect to Microsoft 365 Government Community Cloud (GCC) data with Usage Analytics
+
+Use the following procedures to connect to your data with the Microsoft 365 Usage Analytics report in a Microsoft 365 Government Community Cloud (GCC) tenant.
+
+> [!NOTE]
+> These instructions are specifically for Microsoft 365 GCC tenants.
+
+## Before you begin
+
+To initially configure Microsoft 365 Usage Analytics:
+
+- You need to be a Microsoft 365 Global admin to enable data collection.
+- You need the [Power BI Desktop](https://powerbi.microsoft.com/en-us/desktop/) application to use the template file.
+- You need a [Power BI Pro license](https://go.microsoft.com/fwlink/p/?linkid=845347) or Premium capacity to publish and view the report.
+
+## Step 1: Make you organizationΓÇÖs data available for the Microsoft 365 Usage Analytics report
+
+1. In the Microsoft 365 admin center, expand the navigation menu, select **Reports**, then select **Usage**.
+2. On the **Usage Reports** page, in the Microsoft 365 Usage Analytics section, select **Get Started**.
+3. Under **Enable Power BI for usage analytics**, select **Make organizational usage data available to Microsoft usage analytics for Power BI**, and then select **Save**.
+
+ ![Make your tenant data available](../../media/usage-analytics/make-data-available.png)
+++
+ This will start a process to make your organizations data accessible for this report, and you will see a message stating that **WeΓÇÖre getting your data ready for Microsoft 365 usage analytics**. Note that this process can take 24 hours to complete.
+
+4. When your organizations data is ready, refreshing the page will show a message stating that your data is now available, and will also provide your **tenant ID** number. You will need to use the tenant ID in a later step when you attempt to connect to your tenant data.
+
+ ![Tenant ID](../../media/usage-analytics/tenant-id-gcc.png)
+
+ > [!IMPORTANT]
+ > When your data is available, do not select **Go to Power BI**, which will take you to the Power BI Marketplace. The template app for this report required by GCC tenants is not available in the Power BI Marketplace.
++
+## Step 2: Download the Power BI template, connect to your data, and publish the report
+
+Microsoft 365 GCC users can download and use the Microsoft 365 Usage Analytics report template file to connect to their data. You will need Power BI Desktop to open and use the template file.
+
+ > [!NOTE]
+ > Currently, a template app for the Microsoft 365 Usage Analytics report is not available for GCC tenants in the Power BI Marketplace.
+
+1. After downloading the [Power BI template](https://download.microsoft.com/download/7/8/2/782ba8a7-8d89-4958-a315-dab04c3b620c/Microsoft%20365%20Usage%20Analytics.pbit), open it using Power BI Desktop.
+2. When prompted for a **TenantID**, enter the tenant ID you received when you prepared your organizationΓÇÖs data for this report in step 1. Then select **Load**. It will take several minutes for your data to load.
+
+ ![Enter tenant ID](../../media/usage-analytics/add-tenant-id.png)
+++
+3. When loading completes, your report will display, and you will see an executive summary of your data.
+
+ ![Executive Summary](../../media/usage-analytics/exec-summary.png)
+
+
+4. Save your changes to the report.
+5. Select **Publish** in the Power BI Desktop menu to publish the report to the Power BI Online service where it can be viewed. This requires either a Power BI Pro license or Power BI Premium capacity. As part of the [publish process](/power-bi/create-reports/desktop-upload-desktop-files#to-publish-a-power-bi-desktop-dataset-and-reports), you will need to select a destination to publish to an available workspace in the Power BI Online Service.
+
+## Related content
+
+[About usage analytics](usage-analytics.md) </br>
+[Get the latest version of usage analytics](get-the-latest-version-of-usage-analytics.md) </br>
+[Navigate and utilize the reports in Microsoft 365 usage analytics](navigate-and-utilize-reports.md) </br>
compliance Advanced Ediscovery Large Cases https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/advanced-ediscovery-large-cases.md
Additionally, the new large case format includes an updated user interface that
![Large case statistics in Advanced eDiscovery user interface](..\media\LargeCaseUI.png)
+## Known issues
+
+- At this time, the option to export content as **Loose files and PSTs** isn't supported in large cases (the option is currently greyed out). This export option will be supported soon. For more information about exporting content, see [Export documents from a review set in Advanced eDiscovery](export-documents-from-review-set.md).
+ ## Frequently asked questions **If I attempt to collect over 1 TB in a single collection, will it work?**
compliance Alert Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/alert-policies.md
The table also indicates the Office 365 Enterprise and Office 365 US Government
|**Creation of forwarding/redirect rule**|Generates an alert when someone in your organization creates an inbox rule for their mailbox that forwards or redirects messages to another email account. This policy only tracks inbox rules that are created using Outlook on the web (formerly known as Outlook Web App) or Exchange Online PowerShell. This policy has a **Informational** severity setting. For more information about using inbox rules to forward and redirect email in Outlook on the web, see [Use rules in Outlook on the web to automatically forward messages to another account](https://support.office.com/article/1433e3a0-7fb0-4999-b536-50e05cb67fed).|Threat management|E1/F1/G1, E3/F3/G3, or E5/G5| |**eDiscovery search started or exported**|Generates an alert when someone uses the Content search tool in the Security and compliance center. An alert is triggered when the following content search activities are performed: <br/><br/>* A content search is started<br/>* The results of a content search are exported<br/>* A content search report is exported<br/><br/>Alerts are also triggered when the previous content search activities are performed in association with an eDiscovery case. This policy has a **Informational** severity setting. For more information about content search activities, see [Search for eDiscovery activities in the audit log](search-for-ediscovery-activities-in-the-audit-log.md#ediscovery-activities).|Threat management|E1/F1/G1, E3/F3/G3, or E5/G5| |**Elevation of Exchange admin privilege**|Generates an alert when someone is assigned administrative permissions in your Exchange Online organization. For example, when a user is added to the Organization Management role group in Exchange Online. This policy has a **Low** severity setting.|Permissions|E1/F1/G1, E3/F3/G3, or E5/G5|
-|**Email messages containing malware removed after delivery**|Generates an alert when any messages containing malware are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using [Zero-hour auto purge](../security/office-365-security/zero-hour-auto-purge.md). This policy has an **Informational** severity setting and automatically triggers [automated investigation and response in Office 365](../security/office-365-security/office-365-air.md).|Threat management|E5/G5 or Microsoft Defender for Office 365 P2 add-on subscription|
-|**Email messages containing phish URLs removed after delivery**|Generates an alert when any messages containing phish are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using [Zero-hour auto purge](../security/office-365-security/zero-hour-auto-purge.md). This policy has an **Informational** severity setting and automatically triggers [automated investigation and response in Office 365](../security/office-365-security/office-365-air.md).|Threat management|E5/G5 or Defender for Office 365 P2 add-on subscription|
+|**Email messages containing malicious file removed after delivery**|Generates an alert when any messages containing a malicious file are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using [Zero-hour auto purge](../security/office-365-security/zero-hour-auto-purge.md). This policy has an **Informational** severity setting and automatically triggers [automated investigation and response in Office 365](../security/office-365-security/office-365-air.md). For more information on this new policy, see [New alert policies in Microsoft Defender for Office 365](new-defender-alert-policies.md).|Threat management|E5/G5 or Microsoft Defender for Office 365 P2 add-on subscription|
+|**Email messages containing malicious URL removed after delivery**|Generates an alert when any messages containing a malicious URL are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using [Zero-hour auto purge](../security/office-365-security/zero-hour-auto-purge.md). This policy has an **Informational** severity setting and automatically triggers [automated investigation and response in Office 365](../security/office-365-security/office-365-air.md). For more information on this new policy, see [New alert policies in Microsoft Defender for Office 365](new-defender-alert-policies.md).|Threat management|E5/G5 or Defender for Office 365 P2 add-on subscription|
+|**Email messages from a campaign were delivered and later removed**|Generates an alert when any messages associated with a [Campaign](../security/office-365-security/campaigns.md) are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using [Zero-hour auto purge](../security/office-365-security/zero-hour-auto-purge.md). This policy has an **Informational** severity setting and automatically triggers [automated investigation and response in Office 365](../security/office-365-security/office-365-air.md). For more information on this new policy, see [New alert policies in Microsoft Defender for Office 365](new-defender-alert-policies.md).|Threat management|E5/G5 or Defender for Office 365 P2 add-on subscription|
+|**Email messages removed after delivery**|Generates an alert when any malicious messages that do not contain a malicious entity (URL or File), or associated with a Campaign, are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using [Zero-hour auto purge](../security/office-365-security/zero-hour-auto-purge.md). This policy has an **Informational** severity setting and automatically triggers [automated investigation and response in Office 365](../security/office-365-security/office-365-air.md). For more information on this new policy, see [New alert policies in Microsoft Defender for Office 365](new-defender-alert-policies.md).|Threat management|E5/G5 or Defender for Office 365 P2 add-on subscription|
|**Email reported by user as malware or phish**|Generates an alert when users in your organization report messages as phishing email using the Report Message add-in. This policy has an **Low** severity setting. For more information about this add-in, see [Use the Report Message add-in](https://support.office.com/article/b5caa9f1-cdf3-4443-af8c-ff724ea719d2). For Defender for Office 365 P2, E5, G5 customers, this alert automatically triggers [automated investigation and response in Office 365](../security/office-365-security/office-365-air.md).|Threat management|E1/F1/G1, E3/F3/G3, or E5/G5| |**Email sending limit exceeded**|Generates an alert when someone in your organization has sent more mail than is allowed by the outbound spam policy. This is usually an indication the user is sending too much email or that the account may be compromised. This policy has a **Medium** severity setting. If you get an alert generated by this alert policy, it's a good idea to [check whether the user account is compromised](../security/office-365-security/responding-to-a-compromised-email-account.md).|Threat management|E1/F1/G1, E3/F3/G3, or E5/G5| |**Form blocked due to potential phishing attempt**|Generates an alert when someone in your organization has been restricted from sharing forms and collecting responses using Microsoft Forms due to detected repeated phishing attempt behavior. This policy has a **High severity** setting.|Threat management|E1, E3/F3, or E5|
compliance App Governance Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/app-governance-get-started.md
To begin using the app governance add-on to Microsoft Cloud App Security:
1. Verify your account has the [appropriate level of licensing](#licensing-for-app-governance). App governance is an add-on feature for Microsoft Cloud App Security (MCAS), and thus MCAS must be present in your account as either a standalone product or as part of the various license packages listed below. 1. You must have one of the [administrator roles](#administrator-roles) listed below to access the app governance pages in the portal.
-1. Your organization's tenant registration must be within one of the [supported areas of North America, Europe, or Africa](app-governance-countries.md).
+1. Your organization's billing address must be within one of the [supported areas of North America, Europe, or Africa](app-governance-countries.md) in order to activate the free trial.
## Add app governance to your Microsoft 365 account
If you did not participate in private preview and would like to cancel your tria
The app governance team has identified the following known issues for the preview: - 2-way sync between Microsoft Defender and app governance alerts ΓÇô currently alerts resolved in Defender will have to be manually resolved in app governance as well.-- Priority accounts insights in App Users and Usage tabs will not work as expected for certain users.
compliance App Governance Manage App Governance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/app-governance-manage-app-governance.md
description: "Implement Microsoft app governance capabilities to govern your app
>*[Microsoft 365 licensing guidance for security & compliance](https://aka.ms/ComplianceSD).* > [!NOTE]
-> To sign up for app governance, see [Get started with app governance (in preview)](app-governance-get-started.md).
+> To sign up for app governance, see [Get started with app governance (in preview)](app-governance-get-started.md#add-app-governance-to-your-microsoft-365-account).
Cyberattacks have become increasingly sophisticated in the ways they exploit the apps you have deployed in your on-premises and cloud infrastructures, establishing a starting point for privilege escalation, lateral movement, and exfiltration of your data. To understand the potential risks and stop these types of attacks, you need to gain clear visibility into your organizationΓÇÖs app compliance posture to quickly identify when an app exhibits anomalous behaviors and to respond when these behaviors present risks to your environment, data, and users.
compliance Archive Ringcentral Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-ringcentral-data.md
description: "Admins can set up a connector to import and archive RingCentral data from Veritas to Microsoft 365. This connector lets you archive data from third-party data sources in Microsoft 365. After your archive this data, you can use compliance features such as legal hold, eDiscovery, and retention policies to manage third-party data."
-# Set up a connector to archive RingCentral data (preview)
+# Set up a connector to archive RingCentral data
Use a Veritas connector in the Microsoft 365 compliance center to import and archive data from the RingCentral platform to user mailboxes in your Microsoft 365 organization. Veritas provides the RingCentral connector that is configured to capture items from the third-party data source and import those items to Microsoft 365. The connector converts content such as chats, attachments, tasks, notes, and posts from RingCentral to an email message format and then imports those items to the user mailboxes in Microsoft 365.
compliance Archive Signal Archiver Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-signal-archiver-data.md
The following overview explains the process of using a connector to archive  Si
4. The connector imports the mobile communication items to the mailbox of a specific user. A new folder named Signal Archiver will be created in the specific user's mailbox and the items will be imported to it. The connector does the mapping by using the value of the *User's Email address* property. Every email message contains this property, which is populated with the email address of every participant of the email message.
-> In addition to automatic user mapping using the value of the *User's Email address* property, you can also define a custom mapping by uploading a CSV mapping file. This mapping file should contain User's mobile Number and the corresponding Microsoft 365 mailbox address for each user. If you enable automatic user mapping and provide a custom mapping, for every email item the connector will first look at custom mapping file. If it doesn't find a valid Microsoft 365 user that corresponds to a user's mobile number, the connector will use the User ΓÇÿs email address property of the email item. If the connector doesn't find a valid Microsoft 365 user in either the custom mapping file or the *user's email address* property of the email item, the item won't be imported.
+ In addition to automatic user mapping using the value of the *User's Email address* property, you can also define a custom mapping by uploading a CSV mapping file. This mapping file should contain User's mobile Number and the corresponding Microsoft 365 mailbox address for each user. If you enable automatic user mapping and provide a custom mapping, for every email item the connector will first look at custom mapping file. If it doesn't find a valid Microsoft 365 user that corresponds to a user's mobile number, the connector will use the User ΓÇÿs email address property of the email item. If the connector doesn't find a valid Microsoft 365 user in either the custom mapping file or the *user's email address* property of the email item, the item won't be imported.
## Before you set up a connector
The following overview explains the process of using a connector to archive  Si
- The user who creates a Signal Archiver connector in Step 3 must be assigned the Mailbox Import Export role in Exchange Online. This is required to add connectors in the **Data connectors** page in the Microsoft 365 compliance center. By default, this role isn't assigned to any role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+- This data connector is available in GCC environments in the Microsoft 365 US Government cloud. Third-party applications and services might involve storing, transmitting, and processing your organization's customer data on third-party systems that are outside of the Microsoft 365 infrastructure and therefore are not covered by the Microsoft 365 compliance and data protection commitments. Microsoft makes no representation that use of this product to connect to third-party applications implies that those third-party applications are FEDRAMP compliant.
+ ## Create a Signal Archiver connector After you've completed the prerequisites described in the previous section, you can create the Signal Archiver connector in the Microsoft 365 compliance center. The connector uses the information you provide to connect to the TeleMessage site and transfers Signal communications data to the corresponding user mailbox boxes in Microsoft 365.
compliance Archive Telegram Archiver Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-telegram-archiver-data.md
The following overview explains the process of using a connector to archive  Te
- The user who creates a Telegram Archiver connector in Step 3 must be assigned the Mailbox Import Export role in Exchange Online. This is required to add connectors in the **Data connectors** page in the Microsoft 365 compliance center. By default, this role isn't assigned to any role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+- This data connector is available in GCC environments in the Microsoft 365 US Government cloud. Third-party applications and services might involve storing, transmitting, and processing your organization's customer data on third-party systems that are outside of the Microsoft 365 infrastructure and therefore are not covered by the Microsoft 365 compliance and data protection commitments. Microsoft makes no representation that use of this product to connect to third-party applications implies that those third-party applications are FEDRAMP compliant.
+ ## Create a Telegram Archiver connector After you've completed the prerequisites described in the previous section, you can create the Telegram Archiver connector in the Microsoft 365 compliance center. The connector uses the information you provide to connect to the TeleMessage site and transfers Telegram communications data to the corresponding user mailbox boxes in Microsoft 365.
compliance Archiving Third Party Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archiving-third-party-data.md
As previously mentioned, data connectors provided by TeleMessage are available i
|Bell SMS/MMS Network Archiver | Yes | No | No | |Enterprise Number Archiver | Yes | No | No | |O2 SMS and Voice Network Archiver | Yes | No | No |
+|Signal Archiver | Yes | No | No |
+|Telegram Archiver | Yes | No | No |
|TELUS SMS Network Archiver | Yes | No | No | |Verizon SMS/MMS Network Archiver | Yes | No | No |
+|WeChat Archiver | Yes | No | No |
|WhatsApp Archiver | Yes | No | No | |||||
compliance Communication Compliance Investigate Remediate https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance-investigate-remediate.md
No matter where you start to review alerts or the filtering you configure, the n
After reviewing the message basics, it's time to open a message to examine the details and to determine further remediation actions. Select a message to view the complete message header and body information. Several different views are available to help you decide the proper course of action: -- **Source view**: This view is the standard message view commonly seen in most web-based messaging platforms. The header information is formatted in the normal style and the message body supports imbedded graphic files and word-wrapped text. If [optical character recognition (OCR)](communication-compliance-feature-reference.md#optical-character-recognition-ocr) is enabled for the policy, images containing printed or handwritten text that match policy conditional are viewed as a child item for the associated message in this view.-- **Text view**: Text view displays a line-numbered text-only view of the message and includes keyword highlighting in messages and attachments for sensitive info type terms or keywords matched in the associated communication compliance policy. Keyword highlighting can help you quickly scan long messages and attachments for the area of interest. In some cases, highlighted text may be only in attachments for messages matching policy conditions. Keyword highlighting isn't supported for terms identified by built-in classifiers assigned to a policy. Embedded files aren't displayed and the line numbering this view is helpful for referencing pertinent details among multiple reviewers.-- **Annotate view**: This view allows reviewers to add annotations directly on the message that are saved to the view of the message. If [OCR is enabled](communication-compliance-feature-reference.md#optical-character-recognition-ocr) for the policy, images containing printed or handwritten text that match policy conditional are viewed as a child item for the associated message in this view and may be annotated.-- **Conversation view (preview)**: Available for Microsoft Teams chat messages, this view displays up to five messages before and after an alert message to help reviewers view the activity in the conversational context. This context helps reviewers to quickly evaluate messages and make more informed message resolution decisions. Real-time message additions to conversations are displayed, including all inline images, emojis, and stickers available in Teams. Image or text file attachments to messages aren't displayed. Notifications are automatically displayed for messages that have been edited or for messages that have been deleted from the conversation window. When a message is resolved, the associated conversational messages aren't retained with the resolved message. Conversation messages are available for up to 60 days after the alert message is identified.
+- **Source**: This view is the standard message view commonly seen in most web-based messaging platforms. The header information is formatted in the normal style and the message body supports imbedded graphic files and word-wrapped text. If [optical character recognition (OCR)](communication-compliance-feature-reference.md#optical-character-recognition-ocr) is enabled for the policy, images containing printed or handwritten text that match policy conditional are viewed as a child item for the associated message in this view.
+- **Plain text**: Text view displays a line-numbered text-only view of the message and includes keyword highlighting in messages and attachments for sensitive info type terms or keywords matched in the associated communication compliance policy. Keyword highlighting can help you quickly scan long messages and attachments for the area of interest. In some cases, highlighted text may be only in attachments for messages matching policy conditions. Keyword highlighting isn't supported for terms identified by built-in classifiers assigned to a policy. Embedded files aren't displayed and the line numbering this view is helpful for referencing pertinent details among multiple reviewers.
+- **Annotate**: This view allows reviewers to add annotations directly on the message that are saved to the view of the message. If [OCR is enabled](communication-compliance-feature-reference.md#optical-character-recognition-ocr) for the policy, images containing printed or handwritten text that match policy conditional are viewed as a child item for the associated message in this view and may be annotated.
+- **Conversation (preview)**: Available for Microsoft Teams chat messages, this view displays up to five messages before and after an alert message to help reviewers view the activity in the conversational context. This context helps reviewers to quickly evaluate messages and make more informed message resolution decisions. Real-time message additions to conversations are displayed, including all inline images, emojis, and stickers available in Teams. Image or text file attachments to messages aren't displayed. Notifications are automatically displayed for messages that have been edited or for messages that have been deleted from the conversation window. When a message is resolved, the associated conversational messages aren't retained with the resolved message. Conversation messages are available for up to 60 days after the alert message is identified.
- **User history**: User history view displays all other alerts generated by any communication compliance policy for the user sending the message. - **Pattern detected notification**: Many harassing and bullying actions over time and involve reoccurring instances of the same behavior by a user. The *Pattern detected* notification is displayed in the alert details and raises attention to the alert. Detection of patterns is on a per-policy basis and evaluates behavior over the last 30 days when at least two messages are sent to the same recipient by a sender. Investigators and reviewers can use this notification to identify repeated behavior to evaluate the alert as appropriate.-- **Show Translate view**: This view automatically converts alert message text to the language configured in the *Displayed language* setting in the Microsoft 365 subscription for each reviewer. The Translate view helps broaden investigative support for organizations with multilingual users and eliminates the need for additional translation services outside of the communication compliance review process. Using Microsoft Translate services, the Translate view can be turned on and off as needed and supports a wide range of languages. For a complete list of supported languages, see [Microsoft Translator Languages](https://www.microsoft.com/translator/business/languages/). Languages listed in the *Translator Language List* are supported in the Translate view.-
- ![Communication compliance message view controls](../media/communication-compliance-message-views.png)
+- **Translation**: This view automatically converts alert message text to the language configured in the *Displayed language* setting in the Microsoft 365 subscription for each reviewer. The *Translation* view helps broaden investigative support for organizations with multilingual users and eliminates the need for additional translation services outside of the communication compliance review process. Using Microsoft translation services, the *Translation* view can be turned on and off as needed and supports a wide range of languages. For a complete list of supported languages, see [Microsoft Translator Languages](https://www.microsoft.com/translator/business/languages/). Languages listed in the *Translator Language List* are supported in the *Translation* view.
### Step 3: Decide on a remediation action
compliance Communication Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance.md
Built-in remediation workflows allow you to quickly identify and take action on
- **Optical character recognition (OCR) (preview)**: Scan, detect, and investigate printed and handwritten text within images embedded or attached to email or Microsoft Teams chat messages. - **New filters**: Investigate and remediate policy alerts faster with message filters for several fields, including sender, recipient, date, domains, and many more. - **Improved message views**: Investigation and remediation actions are now quicker with new message source, text, and annotation views. Message attachments are now viewable to provide complete context when taking remediation actions.-- **User history view**: Historical view of all user message remediation activities, such as past notifications and escalations for policy matches, now provides reviewers with more context during the remediation workflow process. First-time or repeat instances of policy matches for users are now archived and easily viewable.
+- **User history**: Historical view of all user message remediation activities, such as past notifications and escalations for policy matches, now provides reviewers with more context during the remediation workflow process. First-time or repeat instances of policy matches for users are now archived and easily viewable.
- **Pattern detected notification**: Many harassing and bullying actions take place over time and involve reoccurring instances of the same behavior by a user. The new pattern detected notification displayed in alert details helps raise attention to these alerts and this type of behavior.-- **Show Translate view**: Quickly investigate message details in eight languages using translate support in the remediation workflow. Messages in other languages are automatically converted to the display language of the reviewer.
+- **Translation**: Quickly investigate message details in eight languages using translate support in the remediation workflow. Messages in other languages are automatically converted to the display language of the reviewer.
### Actionable insights
compliance Create And Manage Inactive Mailboxes https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-and-manage-inactive-mailboxes.md
After the mailbox is placed on hold or a retention policy is applied to it, the
To view a list of the inactive mailboxes in your organization:
-1. Go to <https://compliance.microsoft.com> and sign in using the credentials for an Global administrator or a Complaince administrator account in your organization.
+1. Go to <https://compliance.microsoft.com> and sign in using the credentials for an Global administrator or a Compliance administrator account in your organization.
2. In the left navigation pane of the Microsoft 365 compliance center, click **Show all**, and then click **Information governance > Retention**.
compliance Create Apply Retention Labels https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-apply-retention-labels.md
To label an item in the Outlook desktop client, select the item. On the **Home**
![Assign Policy button](../media/30684dea-dd73-4e4a-9185-8e29f403b6ca.png)
-You can also right-click an item, click **Assign Policy** in the context menu, and then choose the retention label.
+You can also right-click an item, click **Assign Policy** in the context menu, and then choose the retention label. When you select multiple items, you can use this method to assign the same retention label to multiple items at once.
After the retention label is applied, you can view that retention label and what action it takes at the top of the item. If an email has a retention label applied that has an associated retention period, you can see at a glance when the email expires.
When labels are applied that aren't standard retention labels but mark items as
#### Applying retention labels in Outlook on the web
-To label an item in Outlook on the web, right-click the item \> **Assign policy** \> choose the retention label.
+To label an item in Outlook on the web, right-click the item \> **Assign policy** \> choose the retention label. Unlike Outlook desktop, you can't use this method if you multi-select items.
![Assign policy menu in Outlook on the web](../media/146a23cf-e478-4595-b2e8-f707fc4e6ea3.png)
compliance Data Classification Activity Explorer Available Events https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/data-classification-activity-explorer-available-events.md
This event is generated each time a sensitivity label is updated on the document
|Source |Reported in activity explorer|Note | |||| |Word, Excel, PowerPoint |yes |
-|Outlook |yes |Win 32|
+|Outlook |yes |
|SharePoint Online, OneDrive |yes | |Exchange |yes | |AIP unified client |yes |
compliance Data Classification Content Explorer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/data-classification-content-explorer.md
In order to get access to the content explorer tab, an account must be assigned
> [!IMPORTANT] > Membership in these role groups does not allow you to view the list of items in content explorer or to view the contents of the items in content explorer.
+> [!IMPORTANT]
+> Only Global admins can manage or assign permissions to other users in the Compliance Center. For more details, see [Give users access to the Security & Compliance Center](microsoft-365/security/office-365-security/grant-access-to-the-security-and-compliance-center).
+>
### Required permissions to access items in content explorer Access to content explorer is highly restricted because it lets you read the contents of scanned files.
You can search on:
- [Learn about sensitivity labels](sensitivity-labels.md) - [Learn about retention policies and retention labels](retention.md) - [Sensitive information type entity definitions.md](sensitive-information-type-entity-definitions.md)-- [Learn about data loss prevention](dlp-learn-about-dlp.md)
+- [Learn about data loss prevention](dlp-learn-about-dlp.md)
compliance Endpoint Dlp Learn About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/endpoint-dlp-learn-about.md
description: "Microsoft 365 Endpoint data loss prevention extends monitoring of
You can use Microsoft 365 data loss prevention (DLP) to monitor the actions that are being taken on items you've determined to be sensitive and to help prevent the unintentional sharing of those items. For more information on DLP, see [Learn about data loss prevention](dlp-learn-about-dlp.md).
-**Endpoint data loss prevention** (Endpoint DLP) extends the activity monitoring and protection capabilities of DLP to sensitive items that are on Windows 10 devices. Once devices are onboarded into the Microsoft 365 compliance solutions, the information about what users are doing with sensitive items is made visible in [activity explorer](data-classification-activity-explorer.md) and you can enforce protective actions on those items via [DLP policies](create-test-tune-dlp-policy.md).
+**Endpoint data loss prevention** (Endpoint DLP) extends the activity monitoring and protection capabilities of DLP to sensitive items that are physically stored on Windows 10 devices. Once devices are onboarded into the Microsoft 365 compliance solutions, the information about what users are doing with sensitive items is made visible in [activity explorer](data-classification-activity-explorer.md) and you can enforce protective actions on those items via [DLP policies](create-test-tune-dlp-policy.md).
> [!TIP] > If you are looking for device control for removable storage, see [Microsoft Defender for Endpoint Device Control Removable Storage Access Control](../security/defender-endpoint/device-control-removable-storage-access-control.md#microsoft-defender-for-endpoint-device-control-removable-storage-access-control). ## Endpoint activities you can monitor and take action on
-Microsoft Endpoint DLP enables you to audit and manage the following types of activities users take on sensitive items on devices running Windows 10.
+Microsoft Endpoint DLP enables you to audit and manage the following types of activities users take on sensitive items that are physically stored Windows 10 devices.
|Activity |Description | Auditable/restictable| ||||
compliance Importing Pst Files To Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/importing-pst-files-to-office-365.md
Here's an illustration and description of the complete PST import process. The i
- **Drive shipping:** The WAImportExport.exe tool (downloaded in step 1) is used to copy your PST files to the hard drive. This tool encrypts the hard drive with BitLocker and then copies the PSTs to the hard drive. Like network upload, the PST files that you want to copy to the hard drive have to be located in a file share or file server in your organization.
-3. **Create a PST import mapping file** - After the PST files have been uploaded to the Azure Storage location or copied to a hard drive, the next step is to create a comma-separated value (CSV) file that specifies which user mailboxes the PST files will be imported to (and a PST file can be imported to a user's primary mailbox or their archive mailbox). The Office 365 Import service will use the information to import the PST files.
+3. **Create a PST import mapping file** - After the PST files have been uploaded to the Azure Storage location or copied to a hard drive, the next step is to create a comma-separated value (CSV) file that specifies which user mailboxes the PST files will be imported to (and a PST file can be imported to a user's primary mailbox or their archive mailbox). [Download a copy of the PST Import mapping file](https://go.microsoft.com/fwlink/p/?LinkId=544717). The Office 365 Import service will use the information to import the PST files.
4. **Create a PST import job** - The next step is to create a PST import job on the **Import PST files** page in the Security & Compliance Center and submit the PST import mapping file created in the previous step. For network upload (because the PST files have been uploaded to Azure) Microsoft 365 analyzes the data in the PST files and then gives you an opportunity to set filters that control what data actually gets imported to the mailboxes specified in the PST import mapping file.
compliance Permissions Filtering For Content Search https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/permissions-filtering-for-content-search.md
The **New-ComplianceSecurityFilter** is used to create a search permissions filt
|:--|:--| | _Action_ <br/> | The _Action_ parameter specifies that type of search action that the filter is applied to. The possible Content Search actions are: <br/><br/> **Export:** The filter is applied when exporting search results. <br/> **Preview:** The filter is applied when previewing search results. <br/> **Purge:** The filter is applied when purging search results. <br/> **Search:** The filter is applied when running a search. <br/> **All:** The filter is applied to all search actions. <br/> | | _FilterName_ <br/> |The _FilterName_ parameter specifies the name of the permissions filter. This name is used to identity a filter when using the **Get-ComplianceSecurityFilter**, **Set-ComplianceSecurityFilter,** and **Remove-ComplianceSecurityFilter** cmdlets. <br/> |
-| _Filters_ <br/> | The _Filters_ parameter specifies the search criteria for the compliance security filter. You can create three different types of filters: <br/><br/> **Mailbox or OneDrive filtering:** This type of filter specifies the mailboxes and OneDrive accounts the assigned users (specified by the _Users_ parameter) can search. The syntax for this type of filter is **Mailbox_** _MailboxPropertyName_, where _MailboxPropertyName_ specifies a mailbox property used to scope the mailboxes and OneDrive accounts that can be searched. For example, the mailbox filter `"Mailbox_CustomAttribute10 -eq 'OttawaUsers'"` would allow the user assigned this filter to search only the mailboxes and OneDrive accounts that have the value "OttawaUsers" in the CustomAttribute10 property. <br/> Any supported filterable recipient property can be used for the _MailboxPropertyName_ property. For a list of supported properties, see [Filterable properties for the -RecipientFilter parameter](/powershell/exchange/recipientfilter-properties). <br/><br/> **Mailbox content filtering:** This type of filter is applied on the content that can be searched. It specifies the mailbox content the assigned users can search for. The syntax for this type of filter is **MailboxContent_** _SearchablePropertyName: value_, where _SearchablePropertyName_ specifies a Keyword Query Language (KQL) property that can be specified in a Content Search. For example, the mailbox content filter `MailboxContent_recipients:contoso.com` would allow the user assigned this filter to only search for messages sent to recipients in the contoso.com domain. <br/> For a list of searchable message properties, see [Keyword queries and search conditions for Content Search](keyword-queries-and-search-conditions.md). <br/> <br/> **Important:** A single search filter can't contain a mailbox filter and a mailbox content filter. To combine these in a single filter, you have to use a [filters list](#using-a-filters-list-to-combine-filter-types). But a filter can contain a more complex query of the same type. For example, `"Mailbox_CustomAttribute10 -eq 'FTE' -and Mailbox_MemberOfGroup -eq '$($DG.DistinguishedName)'"` <br/><br/> **Site and site content filtering:** There are two SharePoint and OneDrive for Business site-related filters that you can use to specify what site or site content the assigned users can search: <br/><br/> - **Site_** _SearchableSiteProperty_ <br/> - **SiteContent_** _SearchableSiteProperty_ <br/><br/> These two filters are interchangeable. For example, `"Site_Path -like 'https://contoso.sharepoint.com/sites/doctors*'"` and `"SiteContent_Path -like 'https://contoso.sharepoint.com/sites/doctors*'"` return the same results. But to help you identify what a filter does, you can use `Site_` to specify site-related properties (such as a site URL) and `SiteContent_` to specify content-related properties (such as document types. For example, the filter `"Site_Path -like 'https://contoso.sharepoint.com/sites/doctors*'"` would allow the user assigned this filter to only search for content in the https://contoso.sharepoint.com/sites/doctors site collection. The filter `"SiteContent_FileExtension -eq 'docx'"` would allow the user assigned this filter to only search for Word documents (Word 2007 and later). <br/><br/> For a list of searchable site properties, see [Overview of crawled and managed properties in SharePoint](/SharePoint/technical-reference/crawled-and-managed-properties-overview). Properties marked with a **Yes** in the **Queryable** column can be used to create a site or site content filter. <br/><br/> **Important:** You have to create a search permissions filter to explicitly prevent users from searching content locations in a specific service (such as preventing a user from searching any Exchange mailbox or any SharePoint site). In other words, creating a search permissions filter that allows a user to search all SharePoint sites in the organization doesn't prevent that user from searching mailboxes. For example, to allow SharePoint admins to only search SharePoint sites, you have to create a filter that prevents them from searching mailboxes. Similarly, to allow Exchange admins to only search mailboxes, you have to create a filter that prevents them from searching sites. |
+| _Filters_ <br/> | The _Filters_ parameter specifies the search criteria for the compliance security filter. You can create three different types of filters: <br/><br/> **Mailbox or OneDrive filtering:** This type of filter specifies the mailboxes and OneDrive accounts the assigned users (specified by the _Users_ parameter) can search. The syntax for this type of filter is **Mailbox_** _MailboxPropertyName_, where _MailboxPropertyName_ specifies a mailbox property used to scope the mailboxes and OneDrive accounts that can be searched. For example, the mailbox filter `"Mailbox_CustomAttribute10 -eq 'OttawaUsers'"` would allow the user assigned this filter to search only the mailboxes and OneDrive accounts that have the value "OttawaUsers" in the CustomAttribute10 property. <br/> Any supported filterable recipient property can be used for the _MailboxPropertyName_ property. For a list of supported properties, see [Filterable properties for the -RecipientFilter parameter](/powershell/exchange/recipientfilter-properties). <br/><br/> **Mailbox content filtering:** This type of filter is applied on the content that can be searched. It specifies the mailbox content the assigned users can search for. The syntax for this type of filter is **MailboxContent_** _SearchablePropertyName: value_, where _SearchablePropertyName_ specifies a Keyword Query Language (KQL) property that can be specified in a Content Search. For example, the mailbox content filter `MailboxContent_recipients:contoso.com` would allow the user assigned this filter to only search for messages sent to recipients in the contoso.com domain. <br/> For a list of searchable message properties, see [Keyword queries and search conditions for Content Search](keyword-queries-and-search-conditions.md). <br/> <br/> **Important:** A single search filter can't contain a mailbox filter and a mailbox content filter. To combine these in a single filter, you have to use a [filters list](#using-a-filters-list-to-combine-filter-types). But a filter can contain a more complex query of the same type. For example, `"Mailbox_CustomAttribute10 -eq 'FTE' -and Mailbox_MemberOfGroup -eq '$($DG.DistinguishedName)'"` <br/><br/> **Site and site content filtering:** There are two SharePoint and OneDrive for Business site-related filters that you can use to specify what site or site content the assigned users can search: <br/><br/> - **Site_** _SearchableSiteProperty_ <br/> - **SiteContent_** _SearchableSiteProperty_ <br/><br/> These two filters are interchangeable. For example, `"Site_Path -like 'https://contoso.sharepoint.com/sites/doctors*'"` and `"SiteContent_Path -like 'https://contoso.sharepoint.com/sites/doctors*'"` return the same results. But to help you identify what a filter does, you can use `Site_` to specify site-related properties (such as a site URL) and `SiteContent_` to specify content-related properties (such as document types. For example, the filter `"Site_Path -like 'https://contoso.sharepoint.com/sites/doctors*'"` would allow the user assigned this filter to only search for content in the https://contoso.sharepoint.com/sites/doctors site collection. The filter `"SiteContent_FileExtension -eq 'docx'"` would allow the user assigned this filter to only search for Word documents (Word 2007 and later). <br/><br/> For a list of searchable site properties, see [Overview of crawled and managed properties in SharePoint](/SharePoint/technical-reference/crawled-and-managed-properties-overview). Properties marked with a **Yes** in the **Queryable** column can be used to create a site or site content filter. <br/><br/> **Important:** <br/><br/> - Setting up a site filter with one of the supported properties does not mean the site property in the filter will propagate to all files on that site. This means the user is still responsible for populating the specific property fields associated with the files on that site in order for the site filter to work and capture the right content. For example, if the user has a security filter "Site_RefineableString00 -eq 'abc'" applied and then the user runs a compliance search using keyword query "xyz". The security filter gets appended to the query and the actual query running would be "xyz **AND RefineableString0:'abc'**". The user needs to ensure the files on the site indeed have values in the RefineableString00 field as abc. If not, this search query will not return any results. <br/><br/>- You have to create a search permissions filter to explicitly prevent users from searching content locations in a specific service (such as preventing a user from searching any Exchange mailbox or any SharePoint site). In other words, creating a search permissions filter that allows a user to search all SharePoint sites in the organization doesn't prevent that user from searching mailboxes. For example, to allow SharePoint admins to only search SharePoint sites, you have to create a filter that prevents them from searching mailboxes. Similarly, to allow Exchange admins to only search mailboxes, you have to create a filter that prevents them from searching sites. |
| _Users_ <br/> |The _Users_ parameter specifies the users who get this filter applied to their Content Searches. Identify users by their alias or primary SMTP address. You can specify multiple values separated by commas, or you can assign the filter to all users by using the value **All**. <br/> You can also use the _Users_ parameter to specify a Security & Compliance Center role group. This lets you create a custom role group and then assign that role group a search permissions filter. For example, let's say you have a custom role group for eDiscovery managers for the U.S. subsidiary of a multi-national corporation. You can use the _Users_ parameter to specify this role group (by using the Name property of the role group) and then use the _Filter_ parameter to allow only mailboxes in the U.S. to be searched. <br/> You can't specify distribution groups with this parameter. <br/> | ### Using a filters list to combine filter types
compliance Retention Policies Exchange https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-policies-exchange.md
Other items stored in a mailbox, such as Skype and Teams messages, aren't includ
Both a mailbox and a public folder use the [Recoverable Items folder](/exchange/security-and-compliance/recoverable-items-folder/recoverable-items-folder) to retain items. Only people who have been assigned eDiscovery permissions can view items in another user's Recoverable Items folder.
-When a person deletes a message in a folder other than the Deleted Items folder, by default, the message moves to the Deleted Items folder. When a person deletes an item in the Deleted Items folder, the message is moved to the Recoverable Items folder. However, a user can soft delete an item (Shift+Delete) in any folder, which bypasses the Deleted Items folder and moves the item directly to the Recoverable Items folder.
+When a user deletes a message in a folder other than the Deleted Items folder, by default, the message moves to the Deleted Items folder. However, a user can soft delete an item (Shift+Delete) in any folder, which bypasses the Deleted Items folder and moves the item directly to the Recoverable Items folder.
When you apply retention settings to Exchange data, a timer job periodically evaluates items in the Recoverable Items folder. If an item doesn't match the rules of at least one retention policy or retention label to retain the item, it is permanently deleted (also called hard deleted) from the Recoverable Items folder.
When the retention settings are retain-only, or delete-only, the contents paths
2. **If the item is deleted** during the configured period: The item is immediately moved to the Recoverable Items folder. If a user deletes the item from there or empties the Recoverable Items folder, the item is permanently deleted. Otherwise, the item is permanently deleted after being in the Recoverable Items folder for 14 days.
+## User notification of expiry date
+
+Retention policies for Exchange, unlike retention policies for the other Microsoft 365 workloads, have a user presence by displaying at the top of each email message the name of the retention policy that has the shortest expiry date for the item, and the calculated expiry date for that item. Users don't see this notification if the retention policy doesn't delete items (retain-only).
+
+If a retention label is applied to an email message, the name of that label and corresponding expiry date is always displayed, and will replace the name and date from any retention policy applied to the mailbox.
+
+Remember, in this context, the expiry date for when an email will be deleted is when users can expect the email message to automatically move to the Recoverable Items folder (if not already there). Emails in the Recoverable Items folder will not be permanently deleted but remain there for compliance purposes if they are subject to any retention settings to retain it, or they are under an eDiscovery hold for legal or investigative reasons.
+ ## When a user leaves the organization If a user leaves your organization and the user's mailbox is included in a policy for retention, the mailbox becomes an inactive mailbox when the user's Microsoft 365 account is deleted. The contents of an inactive mailbox are still subject to any retention policy that was placed on the mailbox before it was made inactive, and the contents are available to an eDiscovery search. For more information, see [Inactive mailboxes in Exchange Online](inactive-mailboxes-in-office-365.md).
-When the retention settings no longer apply because the data is permanently deleted or the retention period has expired, the Exchange admin can now [delete the mailbox](delete-an-inactive-mailbox.md). In this scenario, the inactive mailbox isn't automatically deleted.
+When the retention settings no longer apply because the data is permanently deleted or the retention period has expired, the Exchange admin can now [delete the inactive mailbox](delete-an-inactive-mailbox.md). In this scenario, the inactive mailbox isn't automatically deleted.
## Configuration guidance
compliance Retention https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention.md
When content has retention settings assigned to it, that content remains in its
- For Teams and Yammer messages: The copy is retained in a hidden folder named **SubstrateHolds** as a subfolder in the Exchange **Recoverable Items** folder. > [!NOTE]
-> The Preservation Hold library consumes storage that isn't exempt from a site's storage quota. You might need to increase your storage when you use retention settings for SharePoint and Microsoft 365 groups.
+> Because the Preservation Hold library is included in the site's storage quota, you might need to increase your storage when you use retention settings for SharePoint and Microsoft 365 groups.
> These secure locations and the retained content are not visible to most people. In most cases, people do not even need to know that their content is subject to retention settings.
If you are using older eDiscovery tools to preserve data, see the following reso
If you need to proactively retain or delete content in Microsoft 365 for information governance, we recommend that you use retention policies and retention labels instead of the following older features.
-If you currently use these older features, they will continue to work side by side with retention policies and retention labels. However, we recommend that going forward, you use retention policies and retention labels instead. They provide you with a single mechanism to centrally manage both retention and deletion of content across Microsoft 365.
+If you currently use these older features, they will continue to work side by side with Microsoft 365 retention policies and retention labels. However, we recommend that going forward, you use Microsoft 365 retention policies and retention labels to benefit from a single solution to manage both retention and deletion of content across multiple workloads in Microsoft 365.
**Older features from Exchange Online:** - [Retention tags and retention policies](/exchange/security-and-compliance/messaging-records-management/retention-tags-and-policies), also known as [messaging records management (MRM)](/exchange/security-and-compliance/messaging-records-management/messaging-records-management) (deletion only)
+
+ However, if you use the following MRM features, be aware that they aren't currently supported by Microsoft 365 retention policies:
+
+ - An archive policy for [archive mailboxes](enable-archive-mailboxes.md) to automatically move emails from a user's primary mailbox to their archive mailbox after a specified period of time. An archive policy (with any settings) can be used in conjunction with a Microsoft 365 retention policy that applies to a user's primary and archive mailbox.
+
+ - Retention policies applied by an admin to specific folders within a mailbox. A Microsoft 365 retention policy applies to all folders in the mailbox. However, an admin can configure different retention settings by using retention labels that a user can apply to folders in Outlook as a [default retention label](create-apply-retention-labels.md#applying-a-default-retention-label-to-an-outlook-folder).
**Older features from SharePoint and OneDrive:**
contentunderstanding Set Up Content Understanding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/set-up-content-understanding.md
- m365initiative-syntex search.appverid: MET150 localization_priority: Priority
-description: "Set up content understanding in Project Cortex"
+description: "Set up SharePoint Syntex"
# Set up SharePoint Syntex
To use SharePoint Syntex, your organization must have a subscription to SharePoi
- SharePoint Syntex - SPO type - Common Data Service for SharePoint Syntex
-If you cancel your SharePoint Syntex subscription at a future date (or your trial expires), users will no longer be able to create or run document understanding or form processing models, and the content center template will no longer be available. Additionally, term store reports, SKOS taxonomy import, and Content type push will no longer be available. No content will be deleted and site permissions will not be changed.
+To use form processing, you also need AI Builder credits. If you have 300 or more licensed users, an allocation of AI Builder credits is provided each month.
-### AI Builder credits
-
-If you have 300 or more SharePoint Syntex licenses for SharePoint Syntex in your organization, you will be allocated one million AI Builder credits. If you have fewer than 300 licenses, you must purchase AI Builder credits in order to use forms processing.
-
-You can estimate the AI Builder capacity thatΓÇÖs right for you with the [AI Builder calculator](https://powerapps.microsoft.com/ai-builder-calculator).
-
-If you plan to use a custom Power Platform environment, you must [allocate credits to that environment](/power-platform/admin/capacity-add-on).
-
-Go to the [Power Platform admin center](https://admin.powerplatform.microsoft.com/resources/capacity) to check your credits and usage.
+For details about SharePoint Syntex licensing, see [SharePoint Syntex licensing](syntex-licensing.md)
## To set up SharePoint Syntex
contentunderstanding Syntex Licensing https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/syntex-licensing.md
+
+ Title: 'Licensing for SharePoint Syntex'
++++
+audience: admin
++
+ - enabler-strategic
+ - m365initiative-syntex
+search.appverid: MET150
+localization_priority: Priority
+description: "Learn about licensing for SharePoint Syntex"
++
+# Licensing for SharePoint Syntex
+
+To use SharePoint Syntex, your organization must have a subscription to SharePoint Syntex, and each Syntex user must have a license. If you cancel your SharePoint Syntex subscription at a future date (or your trial expires), users will no longer be able to create, publish, or run document understanding or form processing models. Additionally, term store reports, SKOS taxonomy import, and Content type push will no longer be available. No models, content or metadata will be deleted and site permissions will not be changed.
+
+## Tasks requiring a license
+
+The following tasks require a SharePoint Syntex license for the user performing them:
+
+- Uploading content to a document library that has an associated document understanding model
+- Manually running a document understanding model
+- Creating a form processing model via the entry point in a SharePoint library
+- Uploading content to a library where a form processing model has been applied
+- Viewing the metadata extracted from files using a document understanding or forms processing model
+
+Unlicensed users can be granted access to a content center and can create document understanding models there but can't apply them to a document library.
+
+## Cost of running models
+
+The cost of running document understanding models is included in the cost of a SharePoint Syntex license. However, form processing models use AI Builder capacity, for both training and runtime processing. Capacity must be allocated to the Power Apps environment where you will use AI Builder.
+
+If you have 300 or more SharePoint Syntex licenses for SharePoint Syntex in your organization, you will be allocated one million AI Builder credits. This capacity is renewed each month if you maintain the 300-license minimum. (Unused credits don't roll over from month to month.) If you have fewer than 300 licenses, you must purchase AI Builder credits in order to use forms processing.
+
+You can estimate the AI Builder capacity thatΓÇÖs right for you with the [AI Builder calculator](https://powerapps.microsoft.com/ai-builder-calculator).
+
+If you plan to use a custom Power Platform environment, you must [allocate credits to that environment](/power-platform/admin/capacity-add-on).
+
+Go to the [Power Platform admin center](https://admin.powerplatform.microsoft.com/resources/capacity) to check your credits and usage.
+
+## Additional term store features
+
+A subscription to SharePoint Syntex features the following additional term store features:
+
+- SKOS-based term set import
+- Pushing enterprise content types to a hub site, which also adds them to the associated sites and any newly created lists or libraries
+- Term store reports providing insights into published term sets and their use across your tenant
++
+## See also
+
+[Licensing overview for Microsoft Power Platform](/power-platform/admin/pricing-billing-skus)
+
+[Power Apps and Power Automate licensing FAQ](/power-platform/admin/powerapps-flow-licensing-faq)
enterprise Privileged Access Microsoft 365 Enterprise Dev Test Environment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/privileged-access-microsoft-365-enterprise-dev-test-environment.md
description: Use this Test Lab Guide to enable privileged access management your
This article describes how to configure privileged access management to increase security in your Microsoft 365 for enterprise test environment.
-Configuring priviledged access management involves three phases:
+Configuring privileged access management involves three phases:
+ - [Phase 1: Build out your Microsoft 365 for enterprise test environment](#phase-1-build-out-your-microsoft-365-for-enterprise-test-environment) - [Phase 2: Configure privileged access management](#phase-2-configure-privileged-access-management) - [Phase 3: Verify that approval is required for elevated and privileged tasks](#phase-3-verify-that-approval-is-required-for-elevated-and-privileged-tasks)
To set up and use privileged access in your organization, perform the following
#### [Step 1: Create an approver's group](../compliance/privileged-access-management-configuration.md#step-1-create-an-approvers-group)
-Before you start using privileged access, determine who will have approval authority for incoming requests for access to elevated and privileged tasks. All users who are part of the ApproversΓÇÖ group can approve access requests. To use privileged access, you must create a mail-enabled security group in Microsoft 365. In your test environment, name the new security group "Privileged Access Approvers" and add the "User 3" that was previously created in previous test lab guide steps.
+Before you start using privileged access, determine who will have approval authority for incoming requests for access to elevated and privileged tasks. All users who are part of the Approvers' group can approve access requests. To use privileged access, you must create a mail-enabled security group in Microsoft 365. In your test environment, name the new security group "Privileged Access Approvers" and add the "User 3" that was previously created in previous test lab guide steps.
#### [Step 2: Enable privileged access](../compliance/privileged-access-management-configuration.md#step-2-enable-privileged-access)
In this phase, verify that the privileged access policy is working and that user
### Test the ability to execute a task NOT defined in a privileged access policy
-First, connect to Exchange Management PowerShell with the credentials of a user configured as a Global Administrator in your test environment and attempt to create a new Journal rule. The [New-JournalRule](/powershell/module/exchange/new-journalrule) task is not currently defined in a privileged access policy for your organization.
-
-1. On your local computer, open and sign in to the Exchange Online Remote PowerShell Module at **Microsoft Corporation** > **Microsoft Exchange Online Remote PowerShell Module** using the Global Admin account for your test environment.
+First, connect to Exchange Management PowerShell with the credentials of a user configured with the Exchange Role Management role in your test environment and attempt to create a new Journal rule. The [New-JournalRule](/powershell/module/exchange/new-journalrule) task is not currently defined in a privileged access policy for your organization.
-1. In Exchange Management PowerShell, create a new Journal rule for your organization:
+1. On your local computer, open and sign in to the Exchange Online Remote PowerShell Module at **Microsoft Corporation** > **Microsoft Exchange Online Remote PowerShell Module** using credentials with the Exchange Role Management role for your test environment.
+2. In Exchange Management PowerShell, create a new Journal rule for your organization:
```ExchangeManagementPowerShell New-JournalRule -Name "JournalRule1" -Recipient joe@contoso.onmicrosoft.com -JournalEmailAddress barbara@adatum.com -Scope Global -Enabled $true ```
-1. View that the new Journal Rule was successfully created in Exchange Management PowerShell.
+3. View that the new Journal Rule was successfully created in Exchange Management PowerShell.
### Create a new privileged access policy for the New-JournalRule task >[!NOTE] >If you haven't already completed the Steps 1 and 2 from Phase 2 of this guide, be sure follow the steps to create an approver's group named "Privilege Access Approvers" to enable privileged access in your test environment.
-1. Sign in to the [Microsoft 365 admin center](https://admin.microsoft.com) using credentials the Global Admin account for your test environment.
-
+1. Sign in to the [Microsoft 365 admin center](https://admin.microsoft.com) using credentials with the Exchange Role Management role for your test environment.
2. In the Admin Center, go to **Settings** > **Security & Privacy** > **Privileged access**.- 3. Select **Manage access policies and requests**.- 4. Select **Configure policies**, and then select **Add a policy**.- 5. From the drop-down fields, select or enter the following values: **Policy type**: Task- **Policy scope**: Exchange- **Policy name**: New Journal Rule- **Approval type**: Manual- **Approval group**: Privileged Access Approvers 6. Select **Create**, and then select **Close**. It may take a few minutes for the policy to be fully configured and enabled. Be sure to allow time for the policy to be fully enabled before testing the approval requirement in the next step. ### Test approval requirement for the New-JournalRule task defined in a privileged access policy
-1. On your local computer, open and sign in to the Exchange Online Remote PowerShell Module at **Microsoft Corporation** > **Microsoft Exchange Online Remote PowerShell Module** using an using the Global Admin account for your test environment.
+1. On your local computer, open and sign in to the Exchange Online Remote PowerShell Module at **Microsoft Corporation** > **Microsoft Exchange Online Remote PowerShell Module** using credentials with the Exchange Role Management role for your test environment.
2. In Exchange Management PowerShell, create a new Journal rule for your organization:
First, connect to Exchange Management PowerShell with the credentials of a user
### Request access to create a new Journal Rule using the New-JournalRule task
-1. Sign in to the [Microsoft 365 admin center](https://admin.microsoft.com) using the Global Admin account for your test environment.
+1. Sign in to the [Microsoft 365 admin center](https://admin.microsoft.com) using credentials with the Exchange Role Management role for your test environment.
2. In the Admin Center, go to **Settings** > **Security & Privacy** > **Privileged access**.
First, connect to Exchange Management PowerShell with the credentials of a user
4. Select **New request**. From the drop-down fields, select the appropriate values for your organization: **Request type**: Task- **Request scope**: Exchange- **Request for**: New Journal Rule- **Duration (hours)**: 2- **Comments**: Request permission to create a new Journal Rule 5. Select **Save**, and then select **Close**. Your request will be sent to the approver's group via email.
First, connect to Exchange Management PowerShell with the credentials of a user
3. Select **Manage access policies and requests**.
-4. Select the pending request, and then select **Approve** to grant access to the Global Admin account to create a new Journal Rule. The Global Admin account (the requesting user) will receive an email confirmation that approval was granted.
+4. Select the pending request, and then select **Approve** to grant access to the user account to create a new Journal Rule. The account (the requesting user) will receive an email confirmation that approval was granted.
### Test creating a new Journal Rule with privileged access approved for the New-JournalRule task
-1. On your local computer, open and sign in to the Exchange Online Remote PowerShell Module at **Microsoft Corporation** > **Microsoft Exchange Online Remote PowerShell Module** using the Global Admin account for your test environment.
+1. On your local computer, open and sign in to the Exchange Online Remote PowerShell Module at **Microsoft Corporation** > **Microsoft Exchange Online Remote PowerShell Module** using credentials with the Exchange Role Management role for your test environment.
-1. In Exchange Management PowerShell, create a new Journal rule for your organization:
+2. In Exchange Management PowerShell, create a new Journal rule for your organization:
```ExchangeManagementPowerShell New-JournalRule -Name "JournalRule2" -Recipient user1@<your subscription domain> -JournalEmailAddress user1@<your subscription domain> -Scope Global -Enabled $true ```
-1. View that the new Journal Rule was successfully created in Exchange Management PowerShell.
+3. View that the new Journal Rule was successfully created in Exchange Management PowerShell.
## Next step
Explore additional [information protection](m365-enterprise-test-lab-guides.md#i
## See also
-[Microsoft 365 for enterprise Test Lab Guides](m365-enterprise-test-lab-guides.md)
-
-[Microsoft 365 for enterprise overview](microsoft-365-overview.md)
-
-[Microsoft 365 for enterprise documentation](/microsoft-365-enterprise/)
+- [Microsoft 365 for enterprise Test Lab Guides](m365-enterprise-test-lab-guides.md)
+- [Microsoft 365 for enterprise overview](microsoft-365-overview.md)
+- [Microsoft 365 for enterprise documentation](/microsoft-365-enterprise/)
knowledge Manage Topics https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/knowledge/manage-topics.md
Title: 'Manage topics in the topic center in Microsoft Viva Topics'
-description: 'How to manage topics in the topic center.'
-
+ Title: Manage topics in the topic center in Microsoft Viva Topics
+ audience: admin
- enabler-strategic - m365initiative-viva-topics localization_priority: None
+description: Learn how to manage topics in the topic center in Microsoft Viva Topics.
# Manage topics in the topic center in Microsoft Viva Topics
localization_priority: None
In the Viva Topics topic center, a knowledge manager can view the **Manage topics** page to review topics that have been identified in the source locations as specified by your knowledge admin.
- ![Topic Center](../media/knowledge-management/topic-center.png)
+ ![Topic Center.](../media/knowledge-management/topic-center.png)
## Topic stages Knowledge managers help to guide discovered topics through the various topic lifecycle stages: **Suggested**, **Confirmed**, **Published**, and **Removed**.
- ![Topic Lifecycle chart](../media/knowledge-management/topic-lifecycle.png)
+ ![Topic Lifecycle chart.](../media/knowledge-management/topic-lifecycle.png)
- **Suggested**: A topic has been identified by AI and has enough supporting resources, connections, and properties. (These are marked as a **Suggested Topic** in the UI.)
Knowledge managers help to guide discovered topics through the various topic lif
- Multiple users cast negative votes using the feedback mechanism on the topic card. For a topic to be removed, there must be a net of two negative votes received from users. For example, if one user voted negative and one user voted positive for a particular topic, you would still need two more negative votes for the topic to be removed.
- When a published topic is removed, the page with the curated details will need to be deleted manually through the Pages Library of the topic center.
+ When a published topic is removed, the page with the curated details will need to be deleted manually through the Pages library of the topic center.
> [!Note] > On the **Manage topics** page, each knowledge manager will only be able to see topics where they have access to the underlying files and pages connected to the topic. This permission trimming will be reflected in the list of topics that appear in the **Suggested**, **Confirmed**, **Published**, and **Removed** tabs. The topic counts, however, show the total counts in the organization regardless of permissions.
You will not be able to view the **Manage topics** page in the topic center unle
In the topic center, a knowledge manager can review topics that have been identified in the source locations you specified, and can either confirm or remove them. A knowledge manager can also create and publish new topic pages if one was not found in topic discovery, or edit existing ones if they need to be updated.
-## Review suggested topics
+## Suggested topics
On the **Manage topics** page, topics that were discovered in your specified SharePoint source locations will be listed on the **Suggested** tab. If needed, a knowledge manager can review unconfirmed topics and choose to confirm or remove them.
- ![Suggested Topics](../media/knowledge-management/quality-score.png)
+ ![Screenshot of suggested topics.](../media/knowledge-management/quality-score.png)
To review a suggested topic:
Note that you can still choose to reject a confirmed topic. To do this, go to th
## Published topics
-Published topics have been edited so that specific information will always appear to whoever encounters the page. Manually created topics are listed here as well.
+On the **Manage topics** page, topics that were discovered in your specified SharePoint source locations will be listed on the **Published** tab. Published topics have been edited so that specific information will always appear to whoever encounters the page. Manually created topics are listed here as well.
![Manage Topics](../media/knowledge-management/manage-topics-new.png)
+## Removed topics
+
+On the **Manage topics** page, topics that were discovered in your specified SharePoint source locations will be listed on the **Removed** tab. Some suggested topics can appear here based on the end user votes on topic cards in the topic center.
+
+Removed topics can later be added back as viewable topics if needed. If you want to add a removed topic back as a viewable topic:
+
+1. On the **Removed** tab, select the topic.
+
+2. Select **Review and publish**.
+
+ ![Screenshot of Removed tab showing the Review and publish option.](../media/knowledge-management/review-and-publish-removed-topic.png)
+ ## Topic count dashboard This chart in the dashboard view lets you see the number of topics in your Viva Topics topic center. The chart shows the topic counts per topic lifecycle stage and also shows how topic counts have trended over time. Knowledge managers can visually monitor the rate at which new topics are being discovered by AI and the rate at which topics are getting confirmed or published by the knowledge manager or user actions. Knowledge managers might see a different count of topics represented in the list of topics on the **Manage topics** page than they see in the dashboard. This is because a knowledge manager might not have access to all topics. The count presented in the dashboard view is taken before applying permission-trimming.
- ![Screenshot of topic count dashboard](../media/knowledge-management/topic-count-dashboard.png)
+ ![Screenshot of topic count dashboard.](../media/knowledge-management/topic-count-dashboard.png)
lighthouse M365 Lighthouse Win365 Page Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-win365-page-overview.md
+
+ Title: "Microsoft 365 Lighthouse Windows 365 (Cloud PCs) page overview"
+f1.keywords: NOCSH
+++
+audience: Admin
+
+localization_priority: Normal
+
+- M365-subscription-management
+- Adm_O365
+
+- AdminSurgePortfolio
+- M365-Lighthouse
+search.appverid: MET150
+description: "For Managed Service Providers (MSPs) using Microsoft 365 Lighthouse, learn about the Windows 365 (Cloud PCs) page."
++
+# Windows 365 (Cloud PCs) page overview
+
+> [!NOTE]
+> The features described in this article are in Preview, are subject to change, and are only available to partners who meet the [requirements](m365-lighthouse-requirements.md). If your organization does not have Microsoft 365 Lighthouse, see [Sign up for Microsoft 365 Lighthouse](m365-lighthouse-sign-up.md).
+
+Windows 365 is a cloud-based service that lets Microsoft Endpoint Manager (MEM) admins provision and manage Cloud PCs for their users who have a Windows 365 license. Windows 365 is fully integrated with MEM for device management, and with Microsoft 365 Lighthouse for partner management of Cloud PCs across all their customer tenants.
+
+For more information about Windows 365, see [What is Windows 365?](/windows-365/overview) For a list of Windows 365 requirements, see [Requirements for Windows 365](/windows-365/requirements).
+
+> [!IMPORTANT]
+> You must go to [MEM](https://go.microsoft.com/fwlink/p/?linkid=2150463) to provision Cloud PCs for each customer tenant before you can manage them in Microsoft 365 Lighthouse. You can't provision from within Microsoft 365Lighthouse.
+
+Once you've provisioned Cloud PCs for your customer tenant, the Windows 365 card on the Microsoft 365 Home page provides a brief alert on the Cloud PCs in need of action, such as the number of Cloud PCs that failed to provision and on-premises network connection failures. To get a detailed status, select the button on the Windows 365 card (or select **Windows 365** in the left navigation pane) to open the Windows 365 page. From this page, you can get a status overview of the Cloud PCs assigned to your customer tenants, view a list of all the Cloud PCs you manage and the tenants they're assigned to, and view the on-premises network connections between your customer tenants and Azure Active Directory (Azure AD) and their status.
+
+## Overview tab
+
+On the Overview tab, the colored count-annotation bar displays the total number of Cloud PCs or on-premises network connections across all your customer tenants that have the following statuses: Failed network connections, Not provisioned, Provisioning failed, and Deprovisioning soon.
+
+You can see a breakdown of Cloud PC statuses for each customer tenant in the list below the annotation bar. To see which tenants have Cloud PCs with a specific status, select that status from the count-annotation bar to filter the list. To see Cloud PC statuses for one or more specific customer tenants, use the **Tenants** dropdown menu to filter the list.
+
+To get detailed status information for a particular customer tenant, select a value under any of the status columns for that tenant. Depending on which column the value is in, the **On-premises network connections** or **All cloud PCs** tab will open and show more information.
+
+The Overview tab also includes the following options:
+
+- **Refresh:** Select to retrieve the most current Cloud PC data.
+- **Export:** Select to export Cloud PC data to an Excel comma-separated values (.csv) file.
+- **Search:** Enter keywords to quickly locate a specific Cloud PC in the list.
++
+## All Cloud PCs tab
+
+On the All Cloud PCs tab, the colored count-annotation bar displays the total number of Cloud PCs across all your customer tenants that have the following statuses: Provisioned, Not provisioned, Provisioning failed, and Deprovisioning soon.
+
+You can view all Cloud PCs and their provisioning status in the list below the annotation bar. The following information is provided:
+
+- **Cloud PC name:** Name assigned to the Cloud PC.
+- **Tenant:** Customer tenant in which a Cloud PC was provisioned.
+- **Device name:** Intune device nameΓÇöa unique identifier for a Cloud PC.
+- **PC type:** Type of Cloud PC according to standard SKUs.
+- **Status:** Provisioning status of the Cloud PC.
+- **User:** User for whom a Cloud PC has been provisioned or attempted to be provisioned.
+
+To see which tenants have Cloud PCs with a specific provisioning status, select that status from the count-annotation bar to filter the list. To see Cloud PC provisioning statuses for one or more specific customer tenants, use the **Tenants** dropdown menu to filter the list.
+
+Select any Cloud PC in the list to view more details. If you need to take action on the Cloud PC, there are options to view tenant provisioning policies and device details in Microsoft Endpoint Manager.
+
+The All Cloud PCs tab also includes the following options:
+
+- **Refresh:** Select to retrieve the most current Cloud PC data.
+- **Export:** Select to export Cloud PC data to an Excel comma-separated values (.csv) file.
+- **Search:** Enter keywords to quickly locate a specific Cloud PC in the list.
+- **Retry provisioning:** Select 1 to 20 Cloud PCs from the list that have a status of **Provisioning failed**, and then select this option to retry provisioning for those Cloud PCs.
+
+To see a complete list of Cloud PC statuses and what they mean, see [Cloud PC overview page](/windows-365/device-management-overview#cloud-pc-overview-page) in the Windows 365 documentation library.
++
+## On-premises network connections tab
+
+On the On-premises network connections tab, the colored count-annotation bar displays the total number of on-premises network connections across all your customer tenants that have the following statuses: Successful connections and Failed connections.
+
+In the list below the count-annotation bar, you can view all on-premises network connections and their connection status.
+
+To see connections with a specific provisioning status, select that status from the count-annotation bar to filter the list. To see connection statuses for one or more specific customer tenants, use the **Tenants** dropdown menu to filter the list.
+
+If you need to take action or troubleshoot a connection in the list, select **View connection details in Microsoft Endpoint Manager**.
+
+The On-premises network connections tab also includes the following options:
+
+- **Refresh:** Select to retrieve the most current connection data.
+- **Export:** Select to export connection data to an Excel comma-separated values (.csv) file.
+- **Search:** Enter keywords to quickly locate a specific connection.
++
+## Related content
+
+[What is Windows 365?](/windows-365/overview) (article)\
+[Windows 365 device management overview for Cloud PCs](/windows-365/device-management-overview) (article)\
+[Microsoft 365 Lighthouse FAQ](m365-lighthouse-faq.yml) (article)
security Device Control Removable Storage Access Control https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control.md
Microsoft Defender for Endpoint Device Control Removable Storage Access Control
- auditing, allowing or preventing the read, write or execute access to removable storage with or without exclusion
-<br>
-****
+#### Access Control
+
+|Privilege |Permission |
+|||
+|Access | Read, Write, Execute |
+|Action Mode | Audit, Allow, Prevent |
+|||
+
+#### Supported deployment method
+|&nbsp; |&nbsp; |
+|||
+|CSP Support | Yes |
+|GPO Support | Yes |
++
+#### Supported target scenario
+| &nbsp; | &nbsp; |
+|||
+|User-based Support | Yes |
+|Machine-based Support | Yes |
+
-|Privilege|Permission|
-|||
-|Access|Read, Write, Execute|
-|Action Mode|Audit, Allow, Prevent|
-|CSP Support|Yes|
-|GPO Support|Yes|
-|User-based Support|Yes|
-|Machine-based Support|Yes|
-|
## Licensing
Deploy Removable Storage Access Control on Windows 10 devices that have antimalw
:::image type="content" source="images/powershell.png" alt-text="The PowerShell interface"::: > [!NOTE]
-> None of Windows Security components need to be active, you can run Removable Storage Access Control independent of Windows Security status.
+> None of Windows Security components need to be active as you can run Removable Storage Access Control independent of Windows Security status.
## Policy properties You can use the following properties to create a removable storage group:
-### Property name: Group Id
-
-1. Description: [GUID](https://en.wikipedia.org/wiki/Universally_unique_identifier), a unique ID, represents the group and will be used in the policy.
-
-### Property name: DescriptorIdList
-
-1. Description: List the device properties you want to use to cover in the group. For each device property, see **Device Properties** section above for more detail.
-2. Options:
- - PrimaryId
- - RemovableMediaDevices
- - CdRomDevices
- - WpdDevices
- - DeviceId
- - HardwareId
- - InstancePathId: InstancePathId is a string that uniquely identifies the device in the system, for example, USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611&0. The number at the end (for example **&0**) represents the available slot and may change from device to device. For best results, use a wildcard at the end. For example, USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611*
- - FriendlyNameId
- - SerialNumberId
- - VID
- - PID
- - VID_PID
- - 0751_55E0: match this exact VID/PID pair
- - _55E0: match any media with PID=55E0
- - 0751_: match any media with VID=0751
-
-### Property name: MatchType
-
-1. Description: When there are multiple device properties being used in the DescriptorIDList, MatchType defines the relationship.
-2. Options:
- - MatchAll: Any attributes under the DescriptorIdList will be **And** relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, system will check to see whether the USB meets both values.
- - MatchAny: The attributes under the DescriptorIdList will be **Or** relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, system will do the enforcement as long as the USB has either an identical **DeviceID** or **InstanceID** value.
-
-Following are the access control policy properties:
-
-### Property name: PolicyRuleId
-
-1. Description: [GUID](https://en.wikipedia.org/wiki/Universally_unique_identifier), a unique ID, represents the policy and will be used in the reporting and troubleshooting.
-
-### Property name: IncludedIdList
-
-1. Description: The group(s) that the policy will be applied to. If multiple groups are added, the policy will be applied to any media in all those groups.
-2. Options: The Group ID/GUID must be used at this instance.
-
-The following example shows the usage of GroupID:
-
-`<IncludedIdList> <GroupId>{EAA4CCE5-F6C9-4760-8BAD-FDCC76A2ACA1}</GroupId> </IncludedIdList>`
-
-### Property name: ExcludedIDList
-
-Description: The group(s) that the policy won't be applied to.
-
-Options: The Group ID/GUID must be used at this instance.
-
-### Property name: Entry Id
-
-1. Description: One PolicyRule can have multiple entries; each entry with a unique GUID tells Device Control one restriction.
-
-### Property name: Type
-
-1. Description: Defines the action for the removable storage groups in IncludedIDList.
- - Enforcement: Allow or Deny
- - Audit: AuditAllowed or AuditDenied
-2. Options:
-
- - Allow
- - Deny
- - AuditAllowed: Defines notification and event when access is allowed
- - AuditDenied: Defines notification and event when access is denied; has to work together with **Deny** entry.
-
-When there are conflict types for the same media, the system will apply the first one in the policy. An example of a conflict type is **Allow** and **Deny**.
-
-### Property name: Sid
-
-Description: Local computer Sid or the Sid of the AD object, defines whether to apply this policy over a specific user or user group; one entry can have a maximum of one Sid and an entry without any Sid means applying the policy over the machine.
-
-### Property name: ComputerSid
-
-Description: Local computer Sid or the Sid of the AD object, defines whether to apply this policy over a specific machine or machine group; one entry can have a maximum of one ComputerSid and an entry without any ComputerSid means applying the policy over the machine. If you want to apply an Entry to a specific user and specific machine, add both Sid and ComputerSid into the same Entry.
-
-### Property name: Options
-
-Description: Defines whether to display notification or not.
-
- :::image type="content" source="images/device-status.png" alt-text="The screen on which the status of the device can be seen":::
-
-Options: 0-4. When Type Allow or Deny is selected:
--- 0: nothing-- 4: disable **AuditAllowed** and **AuditDenied** for this Entry. Even if **Block** happens and the **AuditDenied** is setting configured, the system won't show notification.-
-When Type **AuditAllowed** or **AuditDenied** is selected:
--- 0: nothing-- 1: show notification-- 2: send event-- 3: show notification and send event-
-### Property name: AccessMask
-
-Description: Defines the access.
-
-Options 1-7:
--- 1: Read-- 2: Write-- 3: Read and Write-- 4: Execute-- 5: Read and Execute-- 6: Write and Execute-- 7: Read and Write and Execute
+#### Removable Storage Group
+|Property Name |Description |Options |
+||||
+|**GroupId** | [GUID](https://en.wikipedia.org/wiki/Universally_unique_identifier), a unique ID, represents the group and will be used in the policy. | |
+|**DescriptorIdList** | List the device properties you want to use to cover in the group. For each device property, see [Device Properties](/microsoft-365/security/defender-endpoint/device-control-removable-storage-protection?view=o365-worldwide&preserve-view=true) for more detail.ΓÇï | - **PrimaryId**ΓÇï: RemovableMediaDevices, CdRomDevices, WpdDevices</br> - **DeviceIdΓÇï** </br>- **HardwareIdΓÇï**</br>- **InstancePathId**ΓÇï: InstancePathId is a string that uniquely identifies the device in the system, for example, USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611&0. The number at the end (for example &0) represents the available slot and may change from device to device. For best results, use a wildcard at the end. For example, USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611*</br>- **FriendlyNameIdΓÇï**</br>- **SerialNumberIdΓÇï**</br>- **VIDΓÇï**</br>- **PIDΓÇï**</br>- **VID_PID**</br> 0751_55E0: match this exact VID/PID pair </br>_55E0: match any media with PID=55E0 </br>0751_: match any media with VID=0751 |
+|**MatchType** | When there are multiple device properties being used in the DescriptorIDList, MatchType defines the relationship. | **MatchAll**: </br>ΓÇïAny attributes under the DescriptorIdList will be **And** relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, system will check to see whether the USB meets both values.ΓÇï </br> </br>**MatchAny**:</br> ΓÇïThe attributes under the DescriptorIdList will be **Or** relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, system will do the enforcement as long as the USB has either an identical **DeviceID** or **InstanceID** value.ΓÇï |
+||||
++
+#### Access Control Policy
+
+|Property Name |Description |Options |
+||||
+|PolicyRuleIdΓÇï | [GUID](https://en.wikipedia.org/wiki/Universally_unique_identifier), a unique ID, represents the policy and will be used in the reporting and troubleshooting. | |
+|IncludedIdList | The group(s) that the policy will be applied to. If multiple groups are added, the policy will be applied to any media in all those groups. | The Group ID/GUID must be used at this instance.ΓÇï </br> ΓÇïThe following example shows the usage of GroupID:ΓÇï </br> `<IncludedIdList> <GroupId> {EAA4CCE5-F6C9-4760-8BAD-FDCC76A2ACA1}</GroupId> </IncludedIdList>ΓÇï` |
+|ExcludedIDList | The group(s) that the policy will not be applied to. | The Group ID/GUID must be used at this instance. |
+|Entry Id | One PolicyRule can have multiple entries; each entry with a unique GUID tells Device Control one restriction.ΓÇï | |
+|Type|Defines the action for the removable storage groups in IncludedIDList.ΓÇï </br>- Enforcement: Allow or DenyΓÇï </br>- Audit: AuditAllowed or AuditDeniedΓÇï|- AllowΓÇï </br>- DenyΓÇï</br> - AuditAllowed: Defines notification and event when access is allowedΓÇï</br>- AuditDenied: Defines notification and event when access is denied; has to work together with **Deny** entry.ΓÇï </br></br> When there are conflict types for the same media, the system will apply the first one in the policy. An example of a conflict type is **Allow** and **Deny**.ΓÇï|
+|Sid|Local computer Sid or the Sid of the AD object, defines whether to apply this policy over a specific user or user group; one entry can have a maximum of one Sid and an entry without any Sid means applying the policy over the machine.ΓÇï||
+|ComputerSid|Local computer Sid or the Sid of the AD object, defines whether to apply this policy over a specific machine or machine group; one entry can have a maximum of one ComputerSid and an entry without any ComputerSid means applying the policy over the machine. If you want to apply an Entry to a specific user and specific machine, add both Sid and ComputerSid into the same Entry.ΓÇï||
+|Options|Defines whether to display notification or notΓÇï|0-4. When Type Allow or Deny is selected:</br>ΓÇï</br>0: nothingΓÇï</br>4: disable **AuditAllowed** and **AuditDenied** for this Entry. Even if **Block** happens and the AuditDenied is setting configured, the system will not show notification.ΓÇï </br> </br>When Type **AuditAllowed** or **AuditDenied** is selected:ΓÇï</br>0: nothingΓÇï</br>1: show notificationΓÇï</br>2: send eventΓÇï</br>3: show notification and send eventΓÇï|
+|AccessMask|Defines the access.ΓÇï|1-7:ΓÇï </br></br>1: ReadΓÇï</br>2: WriteΓÇï</br>3: Read and WriteΓÇï</br>4: ExecuteΓÇï</br>5: Read and ExecuteΓÇï</br>6: Write and ExecuteΓÇï</br>7: Read and Write and ExecuteΓÇï|
+||||
## Common Removable Storage Access Control scenarios
The Microsoft 365 security portal shows removable storage blocked by the Device
```kusto //events triggered by RemovableStoragePolicyTriggered DeviceEvents
-| where ActionType == "RemovableStoragePolicyTriggered"
-| extend parsed=parse_json(AdditionalFields)
-| extend RemovableStorageAccess = tostring(parsed.RemovableStorageAccess) 
-| extend RemovableStoragePolicyVerdict = tostring(parsed.RemovableStoragePolicyVerdict) 
-| extend MediaBusType = tostring(parsed.BusType) 
+
+| where ActionType == "RemovableStoragePolicyTriggered"
+| extend parsed=parse_json(AdditionalFields)
+| extend RemovableStorageAccess = tostring(parsed.RemovableStorageAccess) 
+| extend RemovableStoragePolicyVerdict = tostring(parsed.RemovableStoragePolicyVerdict) 
+| extend MediaBusType = tostring(parsed.BusType) 
| extend MediaClassGuid = tostring(parsed.ClassGuid) | extend MediaClassName = tostring(parsed.ClassName) | extend MediaDeviceId = tostring(parsed.DeviceId)
security Manage Updates Baselines Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus.md
ms.technology: mde Previously updated : 07/12/2021 Last updated : 08/04/2021 # Manage Microsoft Defender Antivirus updates and apply baselines
All our updates contain
- integration improvements (Cloud, [Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-defender)). <br/> <details>
+<summary> July-2021 (Platform: 4.18.2107.4 | Engine: 1.1.18400.x)</summary>
+
+&ensp;Security intelligence update version: **x.xxx.xx.x**
+&ensp;Released: **date, 2021**
+&ensp;Platform: **4.18.2107.4**
+&ensp;Engine: **1.1.18400.x**
+&ensp;Support phase: **Security and Critical Updates**
+
+### What's new
+- Device control support added for Windows Portable Devices
+- Potentially unwanted applications (PUA) protection is turned on by default for consumers (See [Potentially unwanted apps will be blocked by default](https://support.microsoft.com/windows/potentially-unwanted-apps-will-be-blocked-by-default-b9f53cb9-7f1e-40bb-8c6b-a17e0ab6289e))
+- Scheduled scans for Group Policy Object managed systems will adhere to user configured scan time
+
+### Known Issues
+No known issues
+<br/>
+</details><details>
<summary> June-2021 (Platform: 4.18.2106.5 | Engine: 1.1.18300.4)</summary> &ensp;Security intelligence update version: **1.343.17.0**
No known issues
### Known Issues No known issues <br/>
-</details><details>
+</details>
+
+### Previous version updates: Technical upgrade support only
+
+After a new package version is released, support for the previous two versions is reduced to technical support only. Versions older than that are listed in this section, and are provided for technical upgrade support only.
+<details>
<summary> April-2021 (Platform: 4.18.2104.14 | Engine: 1.1.18100.5)</summary> &ensp;Security intelligence update version: **1.337.2.0** &ensp;Released: **April 26, 2021** (Engine: 1.1.18100.6 released May 5, 2021) &ensp;Platform: **4.18.2104.14** &ensp;Engine: **1.1.18100.5**
-&ensp;Support phase: **Security and Critical Updates**
+&ensp;Support phase: **Technical upgrade support (only)**
### What's new - Additional behavior monitoring logic
No known issues
### Known Issues No known issues <br/>
-</details>
-
-### Previous version updates: Technical upgrade support only
-
-After a new package version is released, support for the previous two versions is reduced to technical support only. Versions older than that are listed in this section, and are provided for technical upgrade support only.
-<details>
+</details><details>
<summary> March-2021 (Platform: 4.18.2103.7 | Engine: 1.1.18000.5)</summary> &ensp;Security intelligence update version: **1.335.36.0**
security Microsoft Defender Endpoint https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint.md
Defender for Endpoint directly integrates with various Microsoft solutions, incl
With Microsoft 365 Defender, Defender for Endpoint and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate, and automatically respond to sophisticated attacks.
-## Related topic
-[Microsoft Defender for Endpoint helps detect sophisticated threats](https://www.microsoft.com/itshowcase/microsoft-defender-atps-antivirus-capabilities-boost-malware-protection)
security Minimum Requirements https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/minimum-requirements.md
For detailed licensing information, see the [Product Terms site](https://www.mic
For more information on the array of features in Windows 10 editions, see [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare).
-For a detailed comparison table of Windows 10 commercial edition comparison, see the [comparison PDF](https://wfbdevicemanagementprod.blob.core.windows.net/windowsforbusiness/Windows10_CommercialEdition_Comparison.pdf).
+ ## Browser requirements
security Respond Machine Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/respond-machine-alerts.md
The package contains the following folders:
|Autoruns|Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attacker's persistency on the device. <p> <div class="alert"><b>NOTE:</b> If the registry key is not found, the file will contain the following message: "ERROR: The system was unable to find the specified registry key or value."<div>| |Installed programs|This .CSV file contains the list of installed programs that can help identify what is currently installed on the device. For more information, see [Win32_Product class](https://go.microsoft.com/fwlink/?linkid=841509).| |Network connections|This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attacker's command and control (C&C) infrastructure, any lateral movement, or remote connections. <ul><li>ActiveNetConnections.txt: Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process.</li><li>Arp.txt: Displays the current address resolution protocol (ARP) cache tables for all interfaces. ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that might have been used to run an internal attack.</il><li>DnsCache.txt: Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections.</li><li>IpConfig.txt: Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections.</li><li>FirewallExecutionLog.txt and pfirewall.log</li></ul>|
-|Prefetch files|Windows Prefetch files are designed to speed up the application startup process. It can be used to track all the files recently used in the system and find traces for applications that might have been deleted but can still be found in the prefetch file list. <il><li>Prefetch folder: Contains a copy of the prefetch files from `%SystemRoot%\Prefetch`. NOTE: It is suggested to download a prefetch file viewer to view the prefetch files.</li><li>PrefetchFilesList.txt: Contains the list of all the copied files which can be used to track if there were any copy failures to the prefetch folder.</li></ul>|
+|Prefetch files|Windows Prefetch files are designed to speed up the application startup process. It can be used to track all the files recently used in the system and find traces for applications that might have been deleted but can still be found in the prefetch file list. <ul><li>Prefetch folder: Contains a copy of the prefetch files from `%SystemRoot%\Prefetch`. NOTE: It is suggested to download a prefetch file viewer to view the prefetch files.</li><li>PrefetchFilesList.txt: Contains the list of all the copied files which can be used to track if there were any copy failures to the prefetch folder.</li></ul>|
|Processes|Contains a .CSV file listing the running processes, which provides the ability to identify current processes running on the device. This can be useful when identifying a suspicious process and its state.| |Scheduled tasks|Contains a .CSV file listing the scheduled tasks, which can be used to identify routines performed automatically on a chosen device to look for suspicious code which was set to run automatically.| |Security event log|Contains the security event log, which contains records of login or logout activity, or other security-related events specified by the system's audit policy. <p><div class="alert"><b>NOTE:</b> Open the event log file using Event viewer.</div>|
security Eval Create Eval Environment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-create-eval-environment.md
Title: Create the Microsoft 365 Defender Evaluation Environment. Activate or enable trial licenses, and continue on to Microsoft Defender for Identity (MDI).
+ Title: Create the Microsoft 365 Defender Evaluation Environment
description: Set up your Microsoft 365 Defender trial lab or pilot environment by activating trial licenses. Then set up Microsoft Defender for Identity (MDI) and all other M365D evaluations. search.product: eADQiWindows 10XVcnh search.appverid: met150
security Eval Defender Endpoint Enable Eval https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-endpoint-enable-eval.md
Title: Enable Microsoft Defender for Endpoint evaluation, activate the evaluation for MDE
+ Title: Enable Microsoft Defender for Endpoint evaluation
description: Enable your Microsoft 365 Defender trial lab or pilot environment, including checking license state, and onboarding enpoints search.product: eADQiWindows 10XVcnh search.appverid: met150
security Eval Defender Endpoint Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-endpoint-overview.md
Title: Evaluate Microsoft Defender for Endpoint overview, including reviewing the architecture, enabling or activating the evaluation environment, and building a pilot.
+ Title: Evaluate Microsoft Defender for Endpoint overview, including reviewing the architecture
description: Steps for the set up for a Microsoft 365 Defender trial lab or pilot environment. Test and experience how the security solution is designed to protect devices, identity, data, and apps in your organization. search.product: eADQiWindows 10XVcnh search.appverid: met150
security Eval Defender Endpoint Pilot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-endpoint-pilot.md
Title: Pilot Microsoft Defender for Endpoint, set up a pilot, test capabilities in evaluation
+ Title: Pilot Microsoft Defender for Endpoint
description: Learn how to run a pilot for Microsoft Defender for Endpoint(MDE), including verifying the pilot group and trying out capabilities. search.product: eADQiWindows 10XVcnh search.appverid: met150
security Eval Defender Identity Architecture https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-identity-architecture.md
Title: Review architecture requirements and the technical framework for Microsoft Defender for Identity, architecture diagram, MDI
+ Title: Review architecture requirements and the technical framework for Microsoft Defender for Identity
description: The technical diagram for Microsoft Defender for Identity in Microsoft 365 Defender will help you understand identity in Microsoft 365 before you build your trial lab or pilot environment. search.product: eADQiWindows 10XVcnh search.appverid: met150
security Eval Defender Identity Enable Eval https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-identity-enable-eval.md
Title: Enable the evaluation environment for Microsoft Defender for Identity, set up the MDI instance, install and configure MDI sensor, let MDI sensor detect local admins
+ Title: Enable the evaluation environment for Microsoft Defender for Identity
description: Set up Microsoft Defender for Identity in Microsoft 365 Defender trial lab or pilot environment by installing & configuring the sensor, and discovering local admins on other computers. search.product: eADQiWindows 10XVcnh search.appverid: met150
security Eval Defender Identity Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-identity-overview.md
Title: Evaluate Microsoft 365 Defender for Identity overview, set up evaluation, eval and pilot
+ Title: Evaluate Microsoft 365 Defender for Identity overview, set up evaluation
description: Steps for the evaluation of Microsoft 365 Defender for Identity including requirements, enabling or activating the eval, and set up of the pilot or test. search.product: eADQiWindows 10XVcnh search.appverid: met150
security Eval Defender Identity Pilot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-identity-pilot.md
Title: Pilot Microsoft Defender for Identity, set up configuration benchmarks, standards, guidelines, and take tutorials about detecting, and remediating various Identity threats like reconnaissance, compromised credential, lateral movement, domain dominance, and exfiltration alerts, conduct user, computer, entity, and lateral movement paths investigation.
+ Title: Pilot Microsoft Defender for Identity
description: Pilot Microsoft Defender for Identity, set benchmarks, take tutorials on reconnaissance, compromised credential, lateral movement, domain dominance, and exfiltration alerts, among others. search.product: eADQiWindows 10XVcnh search.appverid: met150
security Eval Defender Investigate Respond Additional https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-investigate-respond-additional.md
Title: Try Microsoft 365 Defender incident response capabilities in a pilot environment, to prioritize and manage incidents, configure automated investigation and response, and use advanced hunting
+ Title: Try Microsoft 365 Defender incident response capabilities in a pilot environment
description: Try incident response capabilities in Microsoft 365 Defender to prioritize and manage incidents, automate investigations, and use advanced hunting in threat detection. keywords: Microsoft 365 Defender trial, try Microsoft 365 Defender, evaluate Microsoft 365 Defender, Microsoft 365 Defender evaluation lab, Microsoft 365 Defender pilot, cyber security, advanced persistent threat, enterprise security, devices, device, identity, users, data, applications, incidents, automated investigation and remediation, advanced hunting search.product: eADQiWindows 10XVcnh
security Eval Defender Investigate Respond Simulate Attack https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-investigate-respond-simulate-attack.md
Title: Run an attack simulation in a Microsoft 365 Defender pilot environment, isolated environment for attack simulation, response, remediation
+ Title: Run an attack simulation in a Microsoft 365 Defender pilot environment
description: Run attack simulations for Microsoft 365 Defender to see how how alerts and incidents are presented, insights are gained, and threats are quickly remediated. search.product: eADQiWindows 10XVcnh search.appverid: met150
security Eval Defender Investigate Respond https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-investigate-respond.md
Title: Investigate and respond using Microsoft 365 Defender in a pilot environment, and use Attack Simulator, teach users to detect, investigate attack surfaces, and strengthen your security posture
+ Title: Investigate and respond using Microsoft 365 Defender in a pilot environment
description: Set up attack simulations in Microsoft 365 Defender trial lab or pilot environment to try out the security solution designed to teach users to protect devices, identity, data, and applications. search.product: eADQiWindows 10XVcnh search.appverid: met150
security Eval Defender Mcas Architecture https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-mcas-architecture.md
Title: Review architecture requirements and the structure for Microsoft Cloud App Security, plan the configuration and design by knowing the framework of Cloud App Security in Microsoft 365 Defender
+ Title: Review architecture requirements and the structure for Microsoft Cloud App Security
description: Microsoft Cloud App Security technical diagrams explain the architecture in Microsoft 365 Defender, which will help you build a pilot environment. search.product: eADQiWindows 10XVcnh search.appverid: met150
security Eval Defender Mcas Enable Eval https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-mcas-enable-eval.md
Title: Enable the evaluation environment for Microsoft Cloud App Security description: Learn the architecture of MCAS within Microsoft Defender for Office 365 and understand interactions between the Microsoft 365 Defender products.
-keywords: Microsoft 365 Defender trial, try Microsoft 365 Defender, evaluate Microsoft 365 Defender, Microsoft 365 Defender evaluation lab, Microsoft 365 Defender pilot, cyber security, advanced persistent threat, enterprise security, devices, device, identity, users, data, applications, incidents, automated investigation and remediation, advanced hunting
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Eval Defender Mcas Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-mcas-overview.md
Title: Evaluate Microsoft Cloud App Security overview, setup or set up an evaluation of device, identity, data, and app protection, as part of Microsoft 365 Defender
+ Title: Evaluate Microsoft Cloud App Security overview
description: Steps to set up your Microsoft 365 Defender trial lab or pilot environment to try out and experience the security solution designed to protect devices, identity, data, and applications in your organization. search.product: eADQiWindows 10XVcnh search.appverid: met150
security Eval Defender Mcas Pilot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-mcas-pilot.md
Title: Pilot Microsoft Cloud App Security with Microsoft 365 Defender, create pilot groups, configure conditional access control, try out capabilities, setup as part of Microsoft 365 Defender
+ Title: Pilot Microsoft Cloud App Security with Microsoft 365 Defender
description: Set up your Microsoft 365 Defender trial lab or pilot environment to test and experience the security solution designed to protect devices, identity, data, and applications. search.product: eADQiWindows 10XVcnh search.appverid: met150
security Eval Defender Office 365 Architecture https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-office-365-architecture.md
Title: Review architecture requirements and planning concepts for Microsoft Defender for Office 365, construction, building, and design frameworks
+ Title: Review architecture requirements and planning concepts for Microsoft Defender for Office 365
description: The technical diagram for Microsoft Defender for Office 365 in Microsoft 365 Defender will help you understand identity in Microsoft 365 before you build your trial lab or pilot environment. search.product: eADQiWindows 10XVcnh search.appverid: met150
security Eval Defender Office 365 Enable Eval https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-office-365-enable-eval.md
Title: Enable the evaluation environment for Microsoft Defender for Office 365 in your production environment, activate your evaluation, activation
+ Title: Enable the evaluation environment for Microsoft Defender for Office 365 in your production environment
description: Steps to activate Microsoft Defender for Office365 evaluation, with trial licenses, MX record handling, & auditing of accepted domains and inbound connections.
-keywords: Microsoft 365 Defender trial, try Microsoft 365 Defender, evaluate Microsoft 365 Defender, Microsoft 365 Defender evaluation lab, Microsoft 365 Defender pilot, cyber security, advanced persistent threat, enterprise security, devices, device, identity, users, data, applications, incidents, automated investigation and remediation, advanced hunting
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Eval Defender Office 365 Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-office-365-overview.md
Title: Evaluate Microsoft Defender for Office 365 overview, how to evaluate, evaluation steps
+ Title: Evaluate Microsoft Defender for Office 365 overview
description: Use this overview to learn the steps to set up an MDO pilot, including requirements, enabling or activating the eval, and setting up the pilot. search.product: eADQiWindows 10XVcnh search.appverid: met150
security Eval Defender Office 365 Pilot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-office-365-pilot.md
Title: Pilot Microsoft Defender for Office 365, use the evaluation in your production environment, promote the evaluation to live in production, learn how to evaluate Defender
+ Title: Pilot Microsoft Defender for Office 365, use the evaluation in your production environment
description: Steps to pilot your Evaluation with groups of active and existing users in order to properly test the features of Microsoft Defender for Office 365. search.product: eADQiWindows 10XVcnh search.appverid: met150
security Eval Defender Promote To Production https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-promote-to-production.md
Title: Promote your Microsoft 365 Defender evaluation environment to Production, Microsoft 365 Defender evaluation, try an evaluation, keep an evaluation, production evaluation
+ Title: Promote your Microsoft 365 Defender evaluation environment to Production
description: Use this article to promote your evals of MDI, MDO, MDE, and MCAS to your live environment in Microsoft 365 Defender or M365D. search.product: eADQiWindows 10XVcnh search.appverid: met150
security Eval Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-overview.md
Title: Evaluate and pilot Microsoft 365 Defender, an XDR, to prevent, detect, investigate, respond, endpoints, identities, apps, email, collaborative applications, data.
+ Title: Evaluate and pilot Microsoft 365 Defender, an XDR
description: Plan your Microsoft 365 Defender trial lab or pilot environment to test and experience a security solution designed to protect devices, identity, data, and applications. search.product: eADQiWindows 10XVcnh search.appverid: met150
security Admin Review Reported Message https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/admin-review-reported-message.md
localization_priority: Normal - M365-security-compliance
-description: Learn how to review messages that are reported and give feedback to your users.
+description: Learn how to review messages that are reported and give feedback to your users.
ms.technology: mdo ms.prod: m365-security
You will only be able to mark and notify users of review results if the message
1. In the Microsoft 365 Defender portal, go directly to the **Submissions** page: [https://security.microsoft.com/reportsubmission}(https://security.microsoft.com/reportsubmission).
-2. Click **User reported messages**, and then select the message you want to mark and notify.
+2. Click **User reported messages**, and then select the message you want to mark and notify.
-3. Select the **Mark as and notify** drop-down, and then select **No threats found**, **Phishing**, or **Junk**.
+3. Select the **Mark as and notify** drop-down, and then select **No threats found**, **Phishing**, or **Junk**.
> [!div class="mx-imgBorder"] > ![Send messages from portal](../../media/admin-review-send-message-from-portal.png)
-The reported message will be marked as either false positive or false negative, and an email will be automatically sent from within the portal notifying the user who reported the message.
+The reported message will be marked as either false positive or false negative, and an email will be automatically sent from within the portal notifying the user who reported the message.
## Customize the messages used to notify users
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Others** section \> **User reported message settings**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **User reported message settings** in the **Others** section.
2. On the **User submissions** page, if you want to specify the sender display name, check the box for **Specify Office 365 email address to use as sender** under the **Email notifications for admin review results** section, and enter in the name you wish to use. The email address that will be visible in Outlook and all the replies will go there.
security Configuration Analyzer For Security Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configuration-analyzer-for-security-policies.md
Title: Configuration analyzer for security policies
+f1.keywords:
- NOCSH - Previously updated : + Last updated : audience: ITPro localization_priority: Normal
+search.appverid:
- MET150-
+ms.assetid:
+ - M365-security-compliance
-description: Admins can learn how to use the configuration analyzer to find and fix security policies that are below the Standard protection and Strict protection preset security policies.
+description: Admins can learn how to use the configuration analyzer to find and fix security policies that are below the settings in Standard protection and Strict protection in preset security policies.
ms.technology: mdo ms.prod: m365-security
Configuration analyzer in the Microsoft 365 Defender portal provides a central l
The following types of policies are analyzed by the configuration analyzer: - **Exchange Online Protection (EOP) policies**: This includes Microsoft 365 organizations with Exchange Online mailboxes and standalone EOP organizations without Exchange Online mailboxes:- - [Anti-spam policies](configure-your-spam-filter-policies.md). - [Anti-malware policies](configure-anti-malware-policies.md). - [EOP anti-phishing policies](set-up-anti-phishing-policies.md#spoof-settings). - **Microsoft Defender for Office 365 policies**: This includes organizations with Microsoft 365 E5 or Defender for Office 365 add-on subscriptions:- - Anti-phishing policies in Microsoft Defender for Office 365, which include: - The same [spoof settings](set-up-anti-phishing-policies.md#spoof-settings) that are available in the EOP anti-phishing policies. - [Impersonation settings](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)
The following types of policies are analyzed by the configuration analyzer:
- [Safe Links policies](set-up-safe-links-policies.md). - [Safe Attachments policies](set-up-safe-attachments-policies.md).
-The **Standard** and **Strict** policy setting values that are used as baselines are described in [Recommended settings for EOP and Microsoft Defender for Office 365 security](recommended-settings-for-eop-and-office365.md).
+The Standard and Strict policy setting values that are used as baselines are described in [Recommended settings for EOP and Microsoft Defender for Office 365 security](recommended-settings-for-eop-and-office365.md).
## What do you need to know before you begin?
The **Standard** and **Strict** policy setting values that are used as baselines
For more information, see [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md). > [!NOTE]
- >
- > - Adding users to the corresponding Azure Active Directory role gives users the required permissions in the Microsoft 365 Defender portal _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).
>
+ > - Adding users to the corresponding Azure Active Directory role gives users the required permissions in the Microsoft 365 Defender portal _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).
> - The **View-Only Organization Management** role group in [Exchange Online](/Exchange/permissions-exo/permissions-exo#role-groups) also gives read-only access to the feature. ## Use the configuration analyzer in the Microsoft 365 Defender portal
-In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Templated policies** section \> **Configuration analyzer**.
+In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Configuration analyzer** in the **Templated policies** section.
-The **Configuration analyzer** page has two main tabs:
+The **Configuration analyzer** page has three main tabs:
-- **Settings and recommendations**: You pick **Standard** or **Strict** and compare those settings to your existing security policies. In the results, you can adjust the values of your settings to bring them up to the same level as Standard or Strict.-- **Configuration drift analysis and history**: This view allows you to track policy changes over time.
+- **Standard recommendations**: Compare your existing security policies to the Standard recommendations. You can adjust your settings values to bring them up to the same level as Standard.
+- **Strict recommendations**: Compare your existing security policies to the Strict recommendations. You can adjust your settings values to bring them up to the same level as Strict.
+- **Configuration drift analysis and history**: Audit and track policy changes over time.
-### Setting and recommendations tab in the configuration analyzer
+### Standard recommendations and Strict recommendations tabs in the configuration analyzer
-By default, the tab opens on the comparison to the Standard protection profile. You can switch to the comparison of the Strict protection profile by selecting **View Strict recommendations**. To switch back, select **View Standard recommendations**.
+By default, the configuration analyzer opens on the **Standard recommendations** tab. You can switch to the **Strict recommendations** tab. The settings, layout, and actions are the same on both tabs.
![Settings and recommendations view in the Configuration analyzer](../../media/configuration-analyzer-settings-and-recommendations-view.png)
-By default, the **Policy group/setting name** column contains a collapsed view of the different types of security policies and the number of settings that need improvement (if any). The types of policies are:
+The first section of the tab displays the number of settings in each type of policy that need improvement as compared to Standard or Strict protection. The types of policies are:
- **Anti-spam** - **Anti-phishing**
By default, the **Policy group/setting name** column contains a collapsed view o
- **Safe Attachments** (if your subscription includes Microsoft Defender for Office 365) - **Safe Links** (if your subscription includes Microsoft Defender for Office 365)
-In the default view, everything is collapsed. Next to each policy, there's a summary of comparison results from your policies (which you can modify) and the settings in the corresponding policies for the Standard or Strict protection profiles (which you can't modify). You'll see the following information for the protection profile that you're comparing to:
+If a policy type and number isn't shown, then all of your policies of that type meet the recommended settings of Standard or Strict protection.
-- **Green**: All settings in all existing policies are at least as secure as the protection profile.-- **Amber**: A small number of settings in the existing policies are not as secure as the protection profile.-- **Red**: A significant number of settings in the existing policies are not as secure as the protection profile. This could be a few settings in many policies or many settings in one policy.
+The rest of the tab is the table of settings that need to be brought up to the level Standard or Strict protection. The table contains the following columns:
-For favorable comparisons, you'll see the text: **All settings follow** \<**Standard** or **Strict**\> **recommendations**. Otherwise, you'll see the number of recommended settings to change.
+- **Recommendations**: The value of the setting in the Standard or Strict protection profile.
+- **Policy**: The name of the affected policy that contains the setting.
+- **Policy group/setting name**: The name of the setting that requires your attention.
+- **Policy type**: Anti-spam, Anti-phishing, Anti-malware, Safe Links, or Safe Attachments.
+- **Current configuration**: The current value of the setting.
+- **Last modified**: The date that the policy was last modified.
+- **Status**: Typically, this value is **Not started**.
-If you expand **Policy group/setting name**, all of the policies and the associated settings in each specific policy that require attention are revealed. Or, you can expand a specific type of policy (for example, **Anti-spam**) to see just those settings in those types of policies that require your attention.
+### Change a policy setting to the recommended value
-If the comparison has no recommendations for improvement (green), expanding the policy reveals nothing. If there are any number of recommendations for improvement (amber or red), the settings that require attention are revealed, and corresponding information is revealed in the following columns:
+On the **Standard protection** or **Strict protection** tab of the configuration analyzer, select the row in the table. The following buttons appear:
-- **Policy group/setting name**: The name of the setting that requires your attention. For example, in the previous screenshot, it's the settings in the default anti-spam policy.-- **Policy**: The name of the affected policy that contains the setting.-- **Applied to**: The number of users that the affected policies are applied to.-- **Current configuration**: The current value of the setting. For the default policy of that type that applies to all recipients, this value is blank.-- **Last modified**: The date that the policy was last modified.-- **Recommendations**: The value of the setting in the Standard or Strict protection profile. To change the value of the setting in your policy to match the recommended value in the protection profile, click **Adopt**. If the change is successful, you'll see the message: **Recommendations successfully adopted**. Click **Refresh** to see the reduced number of recommendations, and the removal of the specific setting/policy row from the results.
+- **Apply recommendation**
+- **View policy**
+- **Refresh**:
+
+If you select a row and click **Apply recommendation**, a confirmation dialog (with the option to not show the dialog again) appears. If you click **OK**, the following things happen:
+
+- The setting is updated to the recommended value.
+- The **Apply recommendation** and **View policy** disappear (only the **Refresh** button remains).
+- The **Status** value for the row changes to **Complete**.
+
+If you select a row and click **View policy** you're taken to the details flyout of the affected policy in the Microsoft 365 Defender portal where you can manually update the setting.
+
+After you automatically or manually update the setting, click **Refresh** to see the reduced number of recommendations and the removal of the updated row from the results.
### Configuration drift analysis and history tab in the configuration analyzer
-This tab allows you to track the changes that you've made to your custom security policies. By default, the following information is displayed:
+This tab allows you to track the changes that have been made to your security policies and how those changes compare to the Standard or Strict settings. By default, the following information is displayed:
- **Last modified** - **Modified by** - **Setting Name**-- **Policy**-- **Type**-- **Configuration change**-- **Configuration drift**: The value **Increase** or **Decrease**.
+- **Policy**: The name of the affected policy.
+- **Type**: Anti-spam, Anti-phishing, Anti-malware, Safe Links, or Safe Attachments.
+- **Configuration change**: The old value and the new value of the setting
+- **Configuration drift**: The value **Increase** or **Decrease** that indicates the setting increased or decreased security compared to the recommended Standard or Strict setting.
To filter the results, click **Filter**. In the **Filters** flyout that appears, you can select from the following filters: -- **Start time** and **End time** (date)
+- **Start time** and **End time** (date): You can go back as far as 90 days from today.
- **Standard protection** or **Strict protection**
+When you're finished, click **Apply**.
+ To export the results to a .csv file, click **Export**.
+To filter the results by a specific **Modified by**, **Setting name**, or **Type** value, use the **Search** box.
+ ![Configuration drift analysis and history view in the Configuration analyzer](../../media/configuration-analyzer-configuration-drift-analysis-view.png)
security Configure Advanced Delivery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-advanced-delivery.md
Messages that are identified by the advanced delivery policy aren't security thr
- [Threat Explorer/Real-time detections in Defender for Office 365 plan 2](threat-explorer.md): Admin can filter on **System override source** and select either **Phishing simulation** or **SecOps Mailbox**. - The [Email entity Page in Threat Explorer/Real-time detections](mdo-email-entity-page.md): Admin can view a message that was allowed by organization policy by either **SecOps mailbox** or **Phishing simulation** under **Tenant override** in the **Override(s)** section. - The [Threat protection status report](view-email-security-reports.md#threat-protection-status-report): Admin can filter by **view data by System override** in the drop down menu and select to see messages allowed due to a phishing simulation system override. To see messages allowed by the SecOps mailbox override, you can select **chart breakdown by delivery location** in the **chart breakdown by reason** drop down menu.-- [Advanced hunting in Microsoft Defender for Endpoint](../defender-endpoint/advanced-hunting-overview.md): Phishing simulation and SecOps mailbox system overrides will show as options within OrgLevelPolicy in EmailEvents.
+- [Advanced hunting in Microsoft Defender for Endpoint](../defender-endpoint/advanced-hunting-overview.md): Phishing simulation and SecOps mailbox system overrides will show as options within OrgLevelPolicy in EmailEvents.
- [Campaign Views](campaigns.md): Admin can filter on **System override source** and select either **Phishing simulation** or **SecOps Mailbox**. ## What do you need to know before you begin?
Messages that are identified by the advanced delivery policy aren't security thr
## Use the Microsoft 365 Defender portal to configure SecOps mailboxes in the advanced delivery policy
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Rules** section \> **Advanced delivery**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Advanced delivery** in the **Rules** section.
2. On the **Advanced delivery** page, verify that the **SecOps mailbox** tab is selected, and then do one of the following steps: - Click ![Edit icon](../../media/m365-cc-sc-edit-icon.png) **Edit**.
The SecOps mailbox entries that you configured are displayed on the **SecOps mai
## Use the Microsoft 365 Defender portal to configure third-party phishing simulations in the advanced delivery policy
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Rules** section \> **Advanced delivery**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Advanced delivery** in the **Rules** section.
2. On the **Advanced delivery** page, select the **Phishing simulation** tab, and then do one of the following steps: - Click ![Edit icon](../../media/m365-cc-sc-edit-icon.png) **Edit**. - If there are no configured phishing simulations, click **Add**.
-3. On the **Edit third-party phishing simulation** flyout that opens, configure the following settings:
-
-The `5321.MailFrom` address (also known as the **MAIL FROM** address, P1 sender, or envelope sender) is the email address that's used in the SMTP transmission of the message.
+3. On the **Edit third-party phishing simulation** flyout that opens, configure the following settings:
- **Sending domain**: Expand this setting and enter at least one email address domain (for example, contoso.com) by clicking in the box, entering a value, and then pressing Enter or selecting the value that's displayed below the box. Repeat this step as many times as necessary. You can add up to 10 entries. > [!NOTE]
- > Use the domain from the `5321.MailFrom` address (also known as the **MAIL FROM** address, P1 sender, or envelope sender) that's used in the SMTP transmission of the message. This email address is typically recorded in the **Return-Path** header field in the message header.
+ > Use the domain from the `5321.MailFrom` address (also known as the **MAIL FROM** address, P1 sender, or envelope sender) that's used in the SMTP transmission of the message.
- **Sending IP**: Expand this setting and enter at least one valid IPv4 address by clicking in the box, entering a value, and then pressing Enter or selecting the value that's displayed below the box. Repeat this step as many times as necessary. You can add up to 10 entries. Valid values are: - Single IP: For example, 192.168.1.1.
The `5321.MailFrom` address (also known as the **MAIL FROM** address, P1 sender,
- **Simulation URLs to allow**: Expand this setting and optionally enter specific URLs that are part of your phishing simulation campaign that should not be blocked or detonated by clicking in the box, entering a value, and then pressing Enter or selecting the value that's displayed below the box. You can add up to 10 entries. For the URL syntax format, see [URL syntax for the Tenant Allow/Block List](/microsoft-365/security/office-365-security/tenant-allow-block-list#url-syntax-for-the-tenant-allowblock-list). To remove an existing value, click remove ![Remove icon](../../media/m365-cc-sc-remove-selection-icon.png) next to the value.
-
+ > [!NOTE] > You must specify at least one **Sending domain** and at least one **Sending IP** to configure a third-party phishing simulation in Advanced Delivery. You may optionally include **Simulation URLs to allow** to ensure URLs present in simulation messages are not blocked. You may specify up to 10 entries for each field. There must be a match on at least one **Sending domain** and one **Sending IP** but no association between values is maintained.
security Configure Anti Malware Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-anti-malware-policies.md
Title: Configure anti-malware policies
+f1.keywords:
- NOCSH Previously updated : Last updated : audience: ITPro localization_priority: Normal
+search.appverid:
- MET150 ms.assetid: b0cfc21f-e3c6-41b6-8670-feb2b2e252e5-+ - M365-security-compliance - m365initiative-defender-office365 description: Admins can learn how to view, create, modify, and remove anti-malware policies in Exchange Online Protection (EOP).
You can configure anti-malware policies in the Microsoft 365 Defender portal or
Creating a custom anti-malware policy in the Microsoft 365 Defender portal creates the malware filter rule and the associated malware filter policy at the same time using the same name for both.
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-Malware**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-Malware** in the **Policies** section.
2. On the **Anti-malware** page, click ![Create icon](../../media/m365-cc-sc-create-icon.png) **Create**.
Creating a custom anti-malware policy in the Microsoft 365 Defender portal creat
## Use the Microsoft 365 Defender portal to view anti-malware policies
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-malware**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-Malware** in the **Policies** section.
2. On the **Anti-malware** page, the following properties are displayed in the list of anti-malware policies: - **Name**
Creating a custom anti-malware policy in the Microsoft 365 Defender portal creat
## Use the Microsoft 365 Defender portal to modify anti-malware policies
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-malware**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-Malware** in the **Policies** section.
2. On the **Anti-malware** page, select a policy from the list by clicking on the name.
-3. In the policy details flyout that appears, select **Edit** in each section to modify the settings within the section. For more information about the settings, see the previous [Use the Microsoft 365 Defender portal to create anti-malware policies](#use-the-microsoft-365-defender-portal-to-create-anti-malware-policies) section in this article.
+3. In the policy details flyout that appears, select **Edit** in each section to modify the settings within the section. For more information about the settings, see the previous [Use the Microsoft 365 Defender portal to create anti-malware policies](#use-the-microsoft-365-defender-portal-to-create-anti-malware-policies) section in this article.
For the default anti-malware policy, the **Users, groups, and domains** section isn't available (the policy applies to everyone), and you can't rename the policy.
To enable or disable a policy or set the policy priority order, see the followin
You can't disable the default anti-malware policy.
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-malware**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-Malware** in the **Policies** section.
2. On the **Anti-malware** page, select a custom policy from the list by clicking on the name.
To change the priority of a policy, you click **Increase priority** or **Decreas
- In the Microsoft 365 Defender portal, you can only change the priority of the anti-malware policy after you create it. In PowerShell, you can override the default priority when you create the malware filter rule (which can affect the priority of existing rules). - Anti-malware policies are processed in the order that they're displayed (the first policy has the **Priority** value 0). The default anti-malware policy has the priority value **Lowest**, and you can't change it.
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-malware**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-Malware** in the **Policies** section.
2. On the **Anti-malware** page, select a custom policy from the list by clicking on the name.
To change the priority of a policy, you click **Increase priority** or **Decreas
When you use the Microsoft 365 Defender portal to remove a custom anti-malware policy, the malware filter rule and the corresponding malware filter policy are both deleted. You can't remove the default anti-malware policy.
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-malware**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-Malware** in the **Policies** section.
2. On the **Anti-malware page**, select a custom policy from the list by clicking on the name.
security Configure Anti Phishing Policies Eop https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-anti-phishing-policies-eop.md
Title: Configure anti-phishing policies in EOP
+f1.keywords:
- NOCSH audience: ITPro Previously updated : Last updated : localization_priority: Normal-
+ms.assetid:
+ - M365-security-compliance description: Admins can learn how to create, modify, and delete the anti-phishing policies that are available in Exchange Online Protection (EOP) organizations with or without Exchange Online mailboxes. ms.technology: mdo
To increase the effectiveness of anti-phishing protection, you can create custom
Creating a custom anti-phishing policy in the Microsoft 365 Defender portal creates the anti-phish rule and the associated anti-phish policy at the same time using the same name for both.
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-phishing**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section.
2. On the **Anti-phishing** page, click ![Create icon](../../media/m365-cc-sc-create-icon.png) **Create**.
Creating a custom anti-phishing policy in the Microsoft 365 Defender portal crea
## Use the Microsoft 365 Defender portal to view anti-phishing policies
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-phishing**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section.
2. On the **Anti-phishing** page, the following properties are displayed in the list of policies:
Creating a custom anti-phishing policy in the Microsoft 365 Defender portal crea
## Use the Microsoft 365 Defender portal to modify anti-phishing policies
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-phishing**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section.
2. On the **Anti-phishing** page, select a policy from the list by clicking on the name.
-3. In the policy details flyout that appears, select **Edit** in each section to modify the settings within the section. For more information about the settings, see the [Use the Microsoft 365 Defender portal to create anti-phishing policies](#use-the-microsoft-365-defender-portal-to-create-anti-phishing-policies) section earlier in this article.
+3. In the policy details flyout that appears, select **Edit** in each section to modify the settings within the section. For more information about the settings, see the [Use the Microsoft 365 Defender portal to create anti-phishing policies](#use-the-microsoft-365-defender-portal-to-create-anti-phishing-policies) section earlier in this article.
For the default anti-phishing policy, the **Users, groups, and domains** section isn't available (the policy applies to everyone), and you can't rename the policy.
To enable or disable a policy or set the policy priority order, see the followin
You can't disable the default anti-phishing policy.
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-phishing**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section.
2. On the **Anti-phishing** page, select a custom policy from the list by clicking on the name.
To change the priority of a policy, you click **Increase priority** or **Decreas
- In the Microsoft 365 Defender portal, you can only change the priority of the anti-phishing policy after you create it. In PowerShell, you can override the default priority when you create the anti-phish rule (which can affect the priority of existing rules). - Anti-phishing policies are processed in the order that they're displayed (the first policy has the **Priority** value 0). The default anti-phishing policy has the priority value **Lowest**, and you can't change it.
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-phishing**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section.
2. On the **Anti-phishing** page, select a custom policy from the list by clicking on the name.
To change the priority of a policy, you click **Increase priority** or **Decreas
When you use the Microsoft 365 Defender portal to remove a custom anti-phishing policy, the anti-phish rule and the corresponding anti-phish policy are both deleted. You can't remove the default anti-phishing policy.
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-phishing**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section.
2. On the **Anti-phishing** page, select a custom policy from the list by clicking on the name.
For detailed syntax and parameter information, see [Remove-AntiPhishRule](/power
To verify that you've successfully configured anti-phishing policies in EOP, do any of the following steps: -- In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-phishing**. Verify the list of policies, their **Status** values, and their **Priority** values. To view more details, select the policy from the list by clicking on the name and viewing the details in the flyout that appears.
+- In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section. Verify the list of policies, their **Status** values, and their **Priority** values. To view more details, select the policy from the list by clicking on the name and viewing the details in the flyout that appears.
- In Exchange Online PowerShell, replace \<Name\> with the name of the policy or rule, run the following command, and verify the settings:
security Configure Global Settings For Safe Links https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-global-settings-for-safe-links.md
Title: Configure global settings for Safe Links settings in Defender for Office 365
+f1.keywords:
- NOCSH audience: Admin Previously updated : Last updated : localization_priority: Normal
+search.appverid:
- MET150 - MOE150-
+ms.assetid:
+ - M365-security-compliance description: Admins can learn how to view and configure global settings (the 'Block the following URLs' list and protection for Office 365 apps) for Safe Links in Microsoft Defender for Office 365. ms.technology: mdo
You can configure the global Safe Links settings in the Microsoft 365 Defender p
The **Block the following URLs** list identifies the links that should always be blocked by Safe Links scanning in supported apps. For more information, see ["Block the following URLs" list for Safe Links](safe-links.md#block-the-following-urls-list-for-safe-links).
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Safe Links**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Links** in the **Policies** section.
2. On the **Safe Links** page, click **Global settings**. In the **Safe Links policy for your organization** fly out that appears, go to the **Block the following URLs** box.
You can use the **Get-AtpPolicyForO365** cmdlet to view existing entries in the
Safe Links protection for Office 365 apps applies to documents in supported Office desktop, mobile, and web apps. For more information, see [Safe Links settings for Office 365 apps](safe-links.md#safe-links-settings-for-office-365-apps).
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Safe Links**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Links** in the **Policies** section.
2. On the **Safe Links** page, click **Global settings**. In the **Safe Links policy for your organization** fly out that appears, configure the following settings in the **Settings that apply to content in supported Office 365 apps** section:
For detailed syntax and parameter information, see [Set-AtpPolicyForO365](/power
To verify that you've successfully configured the global settings for Safe Links (the **Block the following URLs** list and the Office 365 app protection settings), do any of the following steps: -- In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Safe Links** \> click **Global settings**, and verify the settings in the fly out that appears.
+- In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Links** in the **Policies** section \> click **Global settings**, and verify the settings in the fly out that appears.
- In Exchange Online PowerShell or Exchange Online Protection PowerShell, run the following command and verify the settings:
security Configure Mdo Anti Phishing Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-mdo-anti-phishing-policies.md
Title: Configure anti-phishing policies in Microsoft Defender for Office 365
+f1.keywords:
- NOCSH audience: ITPro Previously updated : Last updated : localization_priority: Normal-
+ms.assetid:
+ - M365-security-compliance description: Admins can learn how to create, modify, and delete the advanced anti-phishing policies that are available in organizations with Microsoft Defender for Office 365. ms.technology: mdo
To increase the effectiveness of anti-phishing protection in Defender for Office
Creating a custom anti-phishing policy in the Microsoft 365 Defender portal creates the anti-phish rule and the associated anti-phish policy at the same time using the same name for both.
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-phishing**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section.
2. On the **Anti-phishing** page, click ![Create icon](../../media/m365-cc-sc-create-icon.png) **Create**.
Creating a custom anti-phishing policy in the Microsoft 365 Defender portal crea
When you're finished, click **Add**. - **Domains**: Select the **Domain** tab and click ![Add domains icon](../../media/m365-cc-sc-create-icon.png).
-
+ In the **Add trusted domains** flyout that appears, click in the **Domain** box, enter a value, and then press Enter or select the value that's displayed below the box. Repeat this step as many times as necessary. To remove an existing value, click remove ![Remove icon](../../media/m365-cc-sc-remove-selection-icon.png) next to the value. When you're finished, click **Add**.
Creating a custom anti-phishing policy in the Microsoft 365 Defender portal crea
## Use the Microsoft 365 Defender portal to view anti-phishing policies
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-phishing**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section.
2. On the **Anti-phishing** page, the following properties are displayed in the list of anti-phishing policies:
Creating a custom anti-phishing policy in the Microsoft 365 Defender portal crea
## Use the Microsoft 365 Defender portal to modify anti-phishing policies
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-phishing**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section.
2. On the **Anti-phishing** page, select a policy from the list by clicking on the name.
-3. In the policy details flyout that appears, select **Edit** in each section to modify the settings within the section. For more information about the settings, see the [Use the Microsoft 365 Defender portal to create anti-phishing policies](#use-the-microsoft-365-defender-portal-to-create-anti-phishing-policies) section earlier in this article.
+3. In the policy details flyout that appears, select **Edit** in each section to modify the settings within the section. For more information about the settings, see the [Use the Microsoft 365 Defender portal to create anti-phishing policies](#use-the-microsoft-365-defender-portal-to-create-anti-phishing-policies) section earlier in this article.
For the default anti-phishing policy, the **Users, groups, and domains** section isn't available (the policy applies to everyone), and you can't rename the policy.
To enable or disable a policy or set the policy priority order, see the followin
You can't disable the default anti-phishing policy.
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-phishing**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section.
2. On the **Anti-phishing** page, select a custom policy from the list by clicking on the name.
To change the priority of a policy, you click **Increase priority** or **Decreas
- In the Microsoft 365 Defender portal, you can only change the priority of the anti-phishing policy after you create it. In PowerShell, you can override the default priority when you create the anti-phish rule (which can affect the priority of existing rules). - Anti-phishing policies are processed in the order that they're displayed (the first policy has the **Priority** value 0). The default anti-phishing policy has the priority value **Lowest**, and you can't change it.
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-phishing**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section.
2. On the **Anti-phishing** page, select a custom policy from the list by clicking on the name.
To change the priority of a policy, you click **Increase priority** or **Decreas
When you use the Microsoft 365 Defender portal to remove a custom anti-phishing policy, the anti-phish rule and the corresponding anti-phish policy are both deleted. You can't remove the default anti-phishing policy.
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-phishing**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section.
2. On the **Anti-phishing** page, select a custom policy from the list by clicking on the name of the policy.
For detailed syntax and parameter information, see [Remove-AntiPhishRule](/power
To verify that you've successfully configured anti-phishing policies in Defender for Office 365, do any of the following steps: -- In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-phishing**. Verify the list of policies, their **Status** values, and their **Priority** values. To view more details, select the policy from the list by clicking on the name and viewing the details in the flyout that appears.
+- In the Microsoft 365 Defender portal, go to ***Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section. Verify the list of policies, their **Status** values, and their **Priority** values. To view more details, select the policy from the list by clicking on the name and viewing the details in the flyout that appears.
- In Exchange Online PowerShell, replace \<Name\> with the name of the policy or rule, and run the following command and verify the settings:
security Configure The Connection Filter Policy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-the-connection-filter-policy.md
Title: Configure the default connection filter policy
+f1.keywords:
- NOCSH Previously updated : Last updated : audience: ITPro localization_priority: Normal
+search.appverid:
- MET150 ms.assetid: 6ae78c12-7bbe-44fa-ab13-c3768387d0e3-+ - M365-security-compliance-+ - seo-marvel-apr2020 description: Admins can learn how to configure connection filtering in Exchange Online Protection (EOP) to allow or block emails from email servers. ms.technology: mdo
This article describes how to configure the default connection filter policy in
## Use the Microsoft 365 Defender portal to modify the default connection filter policy
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section.
2. On the **Anti-spam policies** page, select **Connection filter policy (Default)** from the list by clicking on the name of the policy.
This article describes how to configure the default connection filter policy in
## Use the Microsoft 365 Defender portal to view the default connection filter policy
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section.
2. On the **Anti-spam policies** page, the following properties are displayed in the list of policies:
For detailed syntax and parameter information, see [Set-HostedConnectionFilterPo
To verify that you've successfully modified the default connection filter policy, do any of the following steps: -- In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-spam** \> select **Connection filter policy (Default)** from the list by clicking on the name of the policy, and verify the settings.
+- In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section \> select **Connection filter policy (Default)** from the list by clicking on the name of the policy, and verify the settings.
- In Exchange Online PowerShell or standalone EOP PowerShell, run the following command and verify the settings:
security Configure The Outbound Spam Policy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-the-outbound-spam-policy.md
Title: Configure outbound spam filtering
+f1.keywords:
- NOCSH Previously updated : Last updated : audience: ITPro localization_priority: Normal
+search.appverid:
- MET150 ms.assetid: a44764e9-a5d2-4c67-8888-e7fb871c17c7-+ - M365-security-compliance-+ - seo-marvel-apr2020 description: Admins can learn how to view, create, modify, and delete outbound spam policies in Exchange Online Protection (EOP). ms.technology: mdo
To increase the effectiveness of outbound spam filtering, you can create custom
Creating a custom outbound spam policy in the Microsoft 365 Defender portal creates the spam filter rule and the associated spam filter policy at the same time using the same name for both.
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section.
2. On the **Anti-spam policies** page, click ![Create icon](../../media/m365-cc-sc-create-icon.png) **Create policy** and then select **Outbound** from the drop down list.
Creating a custom outbound spam policy in the Microsoft 365 Defender portal crea
## Use the Microsoft 365 Defender portal to view outbound spam policies
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section.
2. On the **Anti-spam policies** page, look for one of the following values: - The **Type** value is **Custom outbound spam policy**
Creating a custom outbound spam policy in the Microsoft 365 Defender portal crea
## Use the Microsoft 365 Defender portal to modify outbound spam policies
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section.
2. On the **Anti-spam policies** page, select an outbound spam policy from the list by clicking on the name: - A custom policy that you created where the value in the **Type** column is **Custom outbound spam policy**.
To enable or disable a policy, set the policy priority order, or configure the e
You can't disable the default outbound spam policy.
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section.
2. On the **Anti-spam policies** page, select a policy with the **Type value** of **Custom outbound spam policy** from the list by clicking on the name.
To change the priority of a policy, you click **Increase priority** or **Decreas
- In the Microsoft 365 Defender portal, you can only change the priority of the outbound spam policy after you create it. In PowerShell, you can override the default priority when you create the spam filter rule (which can affect the priority of existing rules). - Outbound spam policies are processed in the order that they're displayed (the first policy has the **Priority** value 0). The default outbound spam policy has the priority value **Lowest**, and you can't change it.
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section.
2. On the **Anti-spam policies** page, select a select a policy with the **Type value** of **Custom outbound spam policy** from the list by clicking on the name.
To change the priority of a policy, you click **Increase priority** or **Decreas
When you use the Microsoft 365 Defender portal to remove a custom outbound spam policy, the spam filter rule and the corresponding spam filter policy are both deleted. You can't remove the default outbound spam policy.
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section.
2. On the **Anti-spam policies** page, select a policy with the **Type value** of **Custom outbound spam policy** from the list by clicking on the name. At the top of the policy details flyout that appears, click ![More actions icon](../../media/m365-cc-sc-more-actions-icon.png) **More actions** \> ![Delete policy icon](../../media/m365-cc-sc-delete-icon.png) **Delete policy**.
security Configure Your Spam Filter Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-your-spam-filter-policies.md
Title: Configure spam filter policies
+f1.keywords:
- NOCSH Previously updated : Last updated : audience: ITPro localization_priority: Priority
+search.appverid:
- MET150 ms.assetid: 316544cb-db1d-4c25-a5b9-c73bbcf53047-+ - M365-security-compliance description: Admins can learn how to view, create, modify, and delete anti-spam policies in Exchange Online Protection (EOP). ms.technology: mdo
To increase the effectiveness of spam filtering, you can create custom anti-spam
Creating a custom anti-spam policy in the Microsoft 365 Defender portal creates the spam filter rule and the associated spam filter policy at the same time using the same name for both.
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section.
2. On the **Anti-spam policies** page, click ![Create icon](../../media/m365-cc-sc-create-icon.png) **Create policy** and then select **Inbound** from the drop down list.
Creating a custom anti-spam policy in the Microsoft 365 Defender portal creates
## Use the Microsoft 365 Defender portal to view anti-spam policies
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section.
2. On the **Anti-spam policies** page, look for one of the following values: - The **Type** value is **Custom anti-spam policy**
Creating a custom anti-spam policy in the Microsoft 365 Defender portal creates
## Use the Microsoft 365 Defender portal to modify anti-spam policies
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section.
2. On the **Anti-spam policies** page, select an anti-spam policy from the list by clicking on the name: - A custom policy that you created where the value in the **Type** column is **Custom anti-spam policy**.
To enable or disable a policy, set the policy priority order, or configure the e
You can't disable the default anti-spam policy.
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section.
2. On the **Anti-spam policies** page, select a policy with the **Type value** of **Custom anti-spam policy** from the list by clicking on the name.
To change the priority of a policy, you click **Increase priority** or **Decreas
- In the Microsoft 365 Defender portal, you can only change the priority of the anti-spam policy after you create it. In PowerShell, you can override the default priority when you create the spam filter rule (which can affect the priority of existing rules). - Anti-spam policies are processed in the order that they're displayed (the first policy has the **Priority** value 0). The default anti-spam policy has the priority value **Lowest**, and you can't change it.
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section.
2. On the **Anti-spam policies** page, select a select a policy with the **Type value** of **Custom anti-spam policy** from the list by clicking on the name.
To change the priority of a policy, you click **Increase priority** or **Decreas
When a spam filtering verdict quarantines a message, you can configure end-user spam notifications to let recipients know what happened to messages that were sent to them. For more information about these notifications, see [End-user spam notifications in EOP](use-spam-notifications-to-release-and-report-quarantined-messages.md).
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section.
2. On the **Anti-spam policies** page, select an anti-spam policy from the list by clicking on the name: - A custom policy that you created where the value in the **Type** column is **Custom anti-spam policy**.
When a spam filtering verdict quarantines a message, you can configure end-user
When you use the Microsoft 365 Defender portal to remove a custom anti-spam policy, the spam filter rule and the corresponding spam filter policy are both deleted. You can't remove the default anti-spam policy.
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section.
2. On the **Anti-spam policies** page, select a policy with the **Type value** of **Custom anti-spam policy** from the list by clicking on the name. At the top of the policy details flyout that appears, click ![More actions icon](../../media/m365-cc-sc-more-actions-icon.png) **More actions** \> ![Delete policy icon](../../media/m365-cc-sc-delete-icon.png) **Delete policy**.
security Impersonation Insight https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/impersonation-insight.md
Title: Impersonation insight
+f1.keywords:
- NOCSH Previously updated : Last updated : audience: ITPro localization_priority: Normal
+search.appverid:
- MET150 - MOE150 ms.assetid:-+ - M365-security-compliance description: Admins can learn how the impersonation insight works. They can quickly determine which senders are legitimately sending email into their organizations from domains that don't pass email authentication checks (SPF, DKIM, or DMARC).
You can use the impersonation insight in the Microsoft 365 Defender portal to qu
## Open the impersonation insight in the Microsoft 365 Defender portal
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-phishing**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section.
2. On the **Anti-phishing** page, the impersonation insight looks like this:
security Learn About Spoof Intelligence https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/learn-about-spoof-intelligence.md
Title: Spoof intelligence insight
+f1.keywords:
- NOCSH Previously updated : Last updated : audience: Admin localization_priority: Normal
+search.appverid:
- MOE150 - MET150 ms.assetid: 978c3173-3578-4286-aaf4-8a10951978bf-+ - M365-security-compliance-+ - seo-marvel-apr2020 description: Admins can learn about the spoof intelligence insight in Exchange Online Protection (EOP). ms.technology: mdo
The rest of this article explains how to use the spoof intelligence insight in t
## Open the spoof intelligence insight in the Microsoft 365 Defender portal
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Tenant Allow/Block Lists**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Tenant Allow/Block Lists** in the **Rules** section.
2. On the **Tenant Allow/Block Lists** page, the spoof intelligence insight looks like this:
security Manage Quarantined Messages And Files https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/manage-quarantined-messages-and-files.md
You view and manage quarantined messages in the Microsoft 365 Defender portal or
3. You can sort the results by clicking on an available column header. Click **Modify columns** to show a maximum of seven columns. The default values are marked with an asterisk (<sup>\*</sup>):
- - **Received**<sup>\*</sup>
- - **Sender**<sup>\*</sup>
- **Subject**<sup>\*</sup>
+ - **Time Received**<sup>\*</sup>
+ - **Sender**<sup>\*</sup>
- **Quarantine reason**<sup>\*</sup> - **Released?**<sup>\*</sup> - **Policy type**<sup>\*</sup>
You view and manage quarantined messages in the Microsoft 365 Defender portal or
- **Recipient** - **Message ID** - **Policy name**
- - **Size**
- - **Direction**
+ - **Message size**
+ - **Mail direction**
- When you're finished, click **Save**, or click **Set to default**.
+ When you're finished, click **Apply**.
4. To filter the results, click **Filter**. The available filters are: - **Expires time**: Filter messages by when they will expire from quarantine:
You view and manage quarantined messages in the Microsoft 365 Defender portal or
- **Quarantine reason**: - **Policy**: The message matched the conditions of a mail flow rule (also known as a transport rule). - **Bulk**
- - **Phish**: The spam filter verdict was **Phishing email** or anti-phishing protection quarantined the message ([spoof settings](set-up-anti-phishing-policies.md#spoof-settings) or [impersonation protection](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)).
+ - **Phish**: The spam filter verdict was **Phishing** or anti-phishing protection quarantined the message ([spoof settings](set-up-anti-phishing-policies.md#spoof-settings) or [impersonation protection](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)).
- **Malware** - **Spam** - **High Confidence Phish**
You view and manage quarantined messages in the Microsoft 365 Defender portal or
- **Subject**: Use the entire subject of the message. The search is not case-sensitive. - **Policy name**: The name of the policy that was responsible for quarantining the message.
- After you've entered the search criteria, click ![Refresh button](../../media/scc-quarantine-refresh.png) **Refresh** to filter the results.
+ After you've entered the search criteria, click !**Refresh** to filter the results.
After you find a specific quarantined message, select the message to view details about it, and to take action on it (for example, view, release, download, or delete the message).
After you select a message, you have several options for what to do with the mes
- **Release message**: In the flyout that appears, choose the following options: - **Report messages to Microsoft for analysis**: This is selected by default, and reports the erroneously quarantined message to Microsoft as a false positive. If the message was quarantined as spam, bulk, phishing, or containing malware, the message is also reported to the Microsoft Spam Analysis Team. Depending on their analysis, the service-wide spam filter rules might be adjusted to allow the message through. - Choose one of the following options:
- - **Release messages to all recipients**
- - **Release messages to specific recipients**
- - **Release messages to other people**: Note that releasing malware messages to people other than original recipients is not supported.
+ - **Release to all recipients**
+ - **Release to specific recipients**
+ - **Report messages to Microsoft to improve detection**: This is selected by default, and reports the erroneously quarantined message to Microsoft as a false positive. If the message was quarantined as spam, bulk, phishing, or containing malware, the message is also reported to the Microsoft Spam Analysis Team. Depending on their analysis, the service-wide spam filter rules might be adjusted to allow the message through.
- When you're finished, click **Release messages**.
+ When you're finished, click **Release message**.
Notes about releasing messages:
When you select multiple quarantined messages in the list (up to 100), the **Bul
- **Delete messages**: After you click **Yes** in the warning that appears, the messages are immediately deleted without being sent to the original recipients.
-When you're finished, click **Close**.
+- **Download messages**
## Use the Microsoft 365 Defender portal to manage quarantined files in Defender for Office 365
In organizations with Defender for Office 365, admins can manage quarantined fil
3. You can sort the results by clicking on an available column header. Click **Modify columns** to show a maximum of seven columns. The default columns are marked with an asterisk (<sup>\*</sup>): - **User**<sup>\*</sup> - **Location**<sup>\*</sup>
- - **File name**<sup>\*</sup>
+ - **Attachment filename**<sup>\*</sup>
- **File URL**<sup>\*</sup> - **File Size**<sup>\*</sup>
- - **Expires**<sup>\*</sup>
- **Released?**<sup>\*</sup>
+ - **Expires**<sup>\*</sup>
- **Detected by** - **Modified by time**
+ When you're finished, click **Apply** or **Cancel**.
+ 4. To filter the results, click **Filter**. The available filters are: - **Expires time**: Filter messages by when they will expire from quarantine: - **Today**
In organizations with Defender for Office 365, admins can manage quarantined fil
- **Quarantine reason**: The only available value is **Malware**. - **Policy type**
+ When you're finished, click **Apply** or **Cancel**.
+ After you find a specific quarantined file, select the file to view details about it, and to take action on it (for example, view, release, download, or delete the message). #### View quarantined file details
security Office 365 Evaluation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/office-365-evaluation.md
Title: Evaluate Microsoft Defender for Office 365 description: Defender for Office 365 in evaluation mode creates Defender for Office 365 email policies that log verdicts, such as malware, but don't act on messages. keywords: evaluate Office 365, Microsoft Defender for Office 365, office 365 evaluation, try office 365, Microsoft Defender, Microsoft Defender for Endpoint
+f1.keywords:
- NOCSH
audience: ITPro
localization_priority: Normal
+search.appverid:
- MET150 - MOE150-+ - M365-security-compliance ms.technology: mdo
The [Microsoft Defender for Office 365](defender-for-office-365.md) evaluation e
If you don't already have a license that supports Microsoft Defender for Office 365, you can start a [free 30-day evaluation](https://admin.microsoft.com/AdminPortal/Home#/catalog/offer-details/microsoft-defender-for-office-365-plan-2-/223860DC-15D6-42D9-A861-AE05473069FA) and test the capabilities in the Microsoft 365 Defender portal at <https://security.microsoft.com>. You'll enjoy the quick set-up and you can easily turn it off if necessary. > [!NOTE]
-> If you're in the Microsoft 365 Defender portal (<https://security.microsoft.com>), you can start a Defender for Office 365 evaluation here: **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Others** section \> **Evaluation mode**.
+> If you're in the Microsoft 365 Defender portal (<https://security.microsoft.com>), you can start a Defender for Office 365 evaluation here: **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Evaluation mode** in the **Others** section.
## How the evaluation works
security Preset Security Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/preset-security-policies.md
Title: Preset security policies
+f1.keywords:
- NOCSH audience: ITPro Previously updated : Last updated : localization_priority: Normal-
+ms.assetid:
+ - M365-security-compliance description: Admins can learn how to apply Standard and Strict policy settings across the protection features of Exchange Online Protection (EOP) and Microsoft Defender for Office 365 ms.technology: mdo
When multiple policies are applied to a user, the following order is applied fro
3. Custom security policies 4. Default security policies
-In other words, the settings of the **Strict protection** policy override the settings of the **Standard protection** policy, which overrides the settings from a custom policy, which overrides the settings from the default policy.
+In other words, the settings of the **Strict protection** policy override the settings of the **Standard protection** policy, which overrides the settings from a custom policy, which overrides the settings from the default policy.
For example, if a security setting exists in **Standard protection** and an admin has enabled the **Standard protection** for a user, then the **Standard protection** setting will be applied instead of what is configured for that setting in a custom policy or in the default policy (for the same user). Note that you might have some portion of your organization to whom you want to apply only the **Standard** or **Strict protection** policy while applying a custom policy to other users in your organization to meet specific needs.
For example, if a security setting exists in **Standard protection** and an admi
### Use the Microsoft 365 Defender portal to assign preset security policies to users
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Templated policies** section \> **Preset Security Policies**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Preset Security Policies** in the **Templated policies** section.
2. Under **Standard protection** or **Strict protection**, click **Edit**.
security Quarantine Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-policies.md
+
+ Title: Quarantine policies
++++ Last updated :
+audience: ITPro
++
+localization_priority: Normal
+search.appverid:
+ - MET150
+ms.assetid:
+
+ - M365-security-compliance
+
+description: Admins can learn how to use quarantine policies to control what users are able to do to their quarantined messages.
+ms.technology: mdo
++
+# Quarantine policies
+
+> [!NOTE]
+> The features that are described in this article are currently in Preview, aren't available to everyone, and are subject to change.
+
+Quarantine policies (formerly known as quarantine tags) in Exchange Online Protection (EOP) allow admins to control what users are able to do to their quarantined messages based on how the message arrived in quarantine.
+
+EOP has traditionally allowed or prevented certain levels of interactivity for messages in [quarantine](find-and-release-quarantined-messages-as-a-user.md) and in [end-user spam notifications](use-spam-notifications-to-release-and-report-quarantined-messages.md). For example, users can view and release messages that were quarantined by anti-spam filtering as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing (only admins can do that).
+
+For [supported protection features](#step-2-assign-a-quarantine-policy-to-supported-features), quarantine policies specify what users are allowed to do in end-user spam notification messages and in their quarantined messages in quarantine (messages where the user is a recipient). Default quarantine policies are automatically assigned to enforce the historical capabilities for users on quarantined messages. Or, you can create and assign custom quarantine policies to allow or prevent end users from performing specific actions on quarantined messages.
+
+The individual permissions are combined into the following preset permission groups:
+
+- Admin only access
+- Limited access
+- Full access
+
+The available individual permissions and what's included or not included in the preset permission groups are described in the following table:
+
+<br>
+
+****
+
+|Permission|Admin only access|Limited access|Full access|
+||::|::|::|
+|**Block sender** (_PermissionToBlockSender_)||![Check mark](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)|
+|**Delete** (_PermissionToDelete_)||![Check mark](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)|
+|**Preview** (_PermissionToPreview_)||![Check mark](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)|
+|**Allow recipients to release a message from quarantine** (_PermissionToRelease_)|||![Check mark](../../media/checkmark.png)|
+|**Allow recipients to request a message to be released from quarantine** (_PermissionToRequestRelease_)||![Check mark](../../media/checkmark.png)||
+|
+
+If you don't like the default permissions in the preset permission groups, you can use custom permissions when you create or modify custom quarantine policies. For more information about what each permission does, see the [Quarantine policy permission details](#quarantine-policy-permission-details) section later in this article.
+
+You create and assign quarantine policies in the Microsoft 365 Defender portal or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with Exchange Online Mailboxes; standalone EOP PowerShell in EOP organizations without Exchange Online mailboxes).
+
+## What do you need to know before you begin?
+
+- You open the Microsoft 365 Defender portal at <https://security.microsoft.com>. Or to go directly to the **Quarantine policies** page, open <https://security.microsoft.com/quarantineTags>.
+
+- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell).
+
+- To view, create, modify, or remove quarantine policies, you need to be a member of the **Organization Management** or **Security Administrator** roles in the Microsoft 365 Defender portal. For more information, see [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md).
+
+## Step 1: Create quarantine policies in the Microsoft 365 Defender portal
+
+1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Threat policies** \> **Rules** section \> **Quarantine policies** and then select **Quarantine policies**.
+
+2. On the **Quarantine policy** page, click ![Add custom policy icon](../../media/m365-cc-sc-create-icon.png) **Add custom policy**.
+
+3. The **New policy** wizard opens. On the **Policy name** page, enter a brief but unique name in the **Policy name** box. You'll need to identify and select the quarantine policy by name in upcoming steps. When you're finished, click **Next**.
+
+4. On the **Recipient message access** page, select one of the following values:
+ - **Limited access**
+
+ The individual permissions that are included in these permission groups are described earlier in this article.
+
+ To specify custom permissions, select **Set specific access (Advanced)** and the configure the following settings that appear:
+
+ - **Select release action preference**: Select one of the following values:
+ - **No release action**: This is the default value.
+ - **Allow recipients to release a message from quarantine**
+ - **Allow recipients to request a message to be released from quarantine**
+ - **Select additional actions recipients can take on quarantined messages**: Select some, all, or none of the following values:
+ - **Delete**
+ - **Preview**
+ - **Block sender**
+
+ These permissions and their effect on quarantined messages and in end-user spam notifications are described in the [Quarantine policy permission details](#quarantine-policy-permission-details) section later in this article.
+
+ When you're finished, click **Next**.
+
+5. On the **End user spam notification** page, enable the notification if needed.
+
+6. On the **Review policy** page that appears, review your settings. You can select **Edit** in each section to modify the settings within the section. Or you can click **Back** or select the specific page in the wizard.
+
+ When you're finished, click **Submit**.
+
+7. On the confirmation page that appears, click **Done**.
+
+Now you're ready to assign the quarantine policy to a quarantine feature as described in the [Step 2](#step-2-assign-a-quarantine-policy-to-supported-features) section.
+
+### Create quarantine policies in PowerShell
+
+If you'd rather use PowerShell to create quarantine policies, connect to Exchange Online PowerShell or Exchange Online Protection PowerShell and use the **New-QuarantineTag** cmdlet. You have two different methods to choose from:
+
+- Use the _EndUserQuarantinePermissionsValue_ parameter.
+- Use the _EndUserQuarantinePermissions_ parameter.
+
+These methods are described in the following sections.
+
+#### Use the EndUserQuarantinePermissionsValue parameter
+
+To create a quarantine policy using the _EndUserQuarantinePermissionsValue_ parameter, use the following syntax:
+
+```powershell
+New-QuarantineTag -Name "<UniqueName>" -EndUserQuarantinePermissionsValue <0 to 236>
+```
+
+The _EndUserQuarantinePermissionsValue_ parameter uses a decimal value that's converted from a binary value. The binary value corresponds to the available end-user quarantine permissions in a specific order. For each permission, the value 1 equals True and the value 0 equals False.
+
+The required order and values for each individual permission in preset permission groups are described in the following table:
+
+<br>
+
+****
+
+|Permission|Limited access|
+||::|
+|PermissionToBlockSender|1|
+|PermissionToDelete|1|
+|PermissionToDownload<sup>\*</sup>|0|
+|PermissionToPreview|1|
+|PermissionToRelease<sup>\*\*</sup>|0|
+|PermissionToRequestRelease<sup>\*\*</sup>|1|
+|PermissionToViewHeader<sup>\*</sup>|0|
+|Binary value|01101010|
+|Decimal value to use|106|
+|
+
+<sup>\*</sup> Currently, this value is always 0. For PermissionToViewHeader, the value 0 doesn't hide the **View message header** button in the details of the quarantined message (the button is always available).
+
+<sup>\*\*</sup> Don't set both of these values to 1. Set one to 1 and the other to 0, or set both to 0.
+
+This example creates a new quarantine policy name LimitedAccess that assigns the Limited access permissions as described in the previous table.
+
+```powershell
+New-QuarantineTag -Name LimitedAccess -EndUserQuarantinePermissionsValue 106
+```
+
+For custom permissions, use the previous table to get the binary value that corresponds to the permissions you want. Convert the binary value to a decimal value and use the decimal value for the _EndUserQuarantinePermissionsValue_ parameter.
+
+For detailed syntax and parameter information, see [New-QuarantineTag](/powershell/module/exchange/new-quarantinetag).
+
+#### Use the EndUserQuarantinePermissions parameter
+
+To create a quarantine policy using the _EndUserQuarantinePermissionsValue_ parameter, do the following steps:
+
+A. Store a quarantine permissions object in a variable using the **New-QuarantinePermissions** cmdlet.
+
+<p>
+
+B. Use the variable as the _EndUserQuarantinePermissions_ value in the **New-QuarantineTag** command.
+
+##### Step A: Store a quarantine permissions object in a variable
+
+Use the following syntax:
+
+```powershell
+$<VariableName> = New-QuarantinePermissions [-PermissionToBlockSender <$true | $False>] [-PermissionToDelete <$true | $False>] [-PermissionToPreview <$true | $False>] [-PermissionToRelease <$true | $False>] [-PermissionToRequestRelease <$true | $False>]
+```
+
+The default value for any unused parameters is `$false`, so you only need to use the parameters where you want to set value to `$true`.
+
+The following example shows how to create permission objects that correspond to the **Limited access** preset permissions group:
+
+```powershell
+$LimitedAccess = New-QuarantinePermissions -PermissionToBlockSender $true -PermissionToDelete $true -PermissionToPreview $true -PermissionToRequestRelease $true
+```
+
+To see the values that you've set, run the variable name as a command (for example, run the command `$LimitedAccess`).
+
+For custom permissions, don't set both the _PermissionToRelease_ and _PermissionToRequestRelease_ parameters to `$true`. Set one to `$true` and leave the other as `$false`, or leave both as `$false`.
+
+You can also modify an existing permissions object variable after you create but before you use it by using the **Set-QuarantinePermissions** cmdlet.
+
+For detailed syntax and parameter information, see [New-QuarantinePermissions](/powershell/module/exchange/new-quarantinepermissions) and [Set-QuarantinePermissions](/powershell/module/exchange/set-quarantinepermissions).
+
+##### Step B: Use the variable in the New-QuarantineTag command
+
+After you've created and stored the permissions object in a variable, use the variable for the _EndUserQuarantinePermission_ parameter value in the following **New-QuarantineTag** command:
+
+```powershell
+New-QuarantineTag -Name "<UniqueName>" -EndUserQuarantinePermissions $<VariableName>
+```
+
+This example creates a new quarantine policy named LimitedAccess using the `$LimitedAccess` permissions object that was described and created in the previous step.
+
+```powershell
+New-QuarantineTag -Name LimitedAccess -EndUserQuarantinePermissions $LimitedAccess
+```
+
+For detailed syntax and parameter information, see [New-QuarantineTag](/powershell/module/exchange/new-quarantinetag).
+
+## Step 2: Assign a quarantine policy to supported features
+
+In _supported_ protection features that quarantine messages or files (automatically or as a configurable action), you can assign a quarantine policy to the available quarantine actions. Features that quarantine messages and the availability of quarantine policies are described in the following table:
+
+<br>
+
+****
+
+|Feature|Quarantine policies supported?|Default quarantine policies used|
+||::||
+|[Anti-spam policies](configure-your-spam-filter-policies.md): <ul><li>**Spam** (_SpamAction_)</li><li>**High confidence spam** (_HighConfidenceSpamAction_)</li><li>**Phishing** (_PhishSpamAction_)</li><li>**High confidence phishing** (_HighConfidencePhishAction_)</li><li>**Bulk** (_BulkSpamAction_)</li></ul>|Yes|<ul><li>DefaultFullAccessPolicy (Full access)</li><li>DefaultFullAccessPolicy (Full access)</li><li>DefaultFullAccessPolicy (Full access)</li><li>AdminOnlyAccessPolicy (No access)</li><li>DefaultFullAccessPolicy (Full access)</li></ul>|
+|Anti-phishing policies: <ul><li>[Spoof intelligence protection](set-up-anti-phishing-policies.md#spoof-settings) (_AuthenticationFailAction_)</li><li>[Impersonation protection](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365):<sup>\*</sup> <ul><li>**If message is detected as an impersonated user** (_TargetedUserProtectionAction_)</li><li>**If message is detected as an impersonated domain** (_TargetedDomainProtectionAction_)</li><li>**If mailbox intelligence detects and impersonated user** (_MailboxIntelligenceProtectionAction_)</li></ul></li></ul></ul>|Yes|<ul><li>DefaultFullAccessPolicy (Full access)</li><li>DefaultFullAccessPolicy (Full access)</li></ul>|
+|[Anti-malware policies](configure-anti-malware-policies.md): All detected messages are always quarantined.|Yes|AdminOnlyAccessPolicy (Admin only access)|
+|[Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](mdo-for-spo-odb-and-teams.md)|Yes|AdminOnlyAccessPolicy (Admin only access)|
+|[Mail flow rules](/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules) (also known as transport rules) with the action: **Deliver the message to the hosted quarantine** (_Quarantine_).|No|n/a|
+|
+
+<sup>\*</sup> Impersonation protection settings are available only in anti-phishing policies in Microsoft Defender for Office 365.
+
+If you're happy with the end-user permissions that are provided by the default quarantine policies, you don't need to do anything. If you want to customize the end-user capabilities (available buttons) in end-user spam notifications or in quarantined message details, you can assign a custom quarantine policy.
+
+### Assign quarantine policies in anti-spam policies in the Microsoft 365 Defender portal
+
+Full instructions for creating and modifying anti-spam policies are described in [Configure anti-spam policies in EOP](configure-your-spam-filter-policies.md).
+
+1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Policies & rules** \> **Policies** section \> **Anti-spam**. Or, open <https://security.microsoft.com/antispam>.
+
+2. On the **Anti-spam policies** page, do one of the following steps:
+ - Find and select an existing **inbound** anti-spam policy.
+ - Create a new **inbound** anti-spam policy.
+
+3. Do one of the following steps:
+ - **Edit existing anti-spam policy**: In the policy details flyout, go to the **Actions** section and then click **Edit actions**.
+ - **Create new anti-spam policy**: In the new policy wizard, go to the **Actions** page.
+
+4. On the **Actions** page. every verdict that has the **Quarantine message** action will also have the **Select quarantine policy** box for you to select a corresponding quarantine policy.
+
+ **Note**: When you create a new policy, a blank **Select quarantine policy** value indicates the default quarantine policy for that verdict is used. When you later edit the policy, the blank values are replaced by the actual default quarantine policy names as described in the previous table.
+
+ ![Quarantine policy selections in an anti-spam policy](../../media/quarantine-tags-in-anti-spam-policies.png)
+
+5. When you're finished, click **Save**.
+
+#### Assign quarantine policies in anti-spam policies in PowerShell
+
+If you'd rather use PowerShell to assign quarantine policies in anti-spam policies, connect to Exchange Online PowerShell or Exchange Online Protection PowerShell and use the following syntax:
+
+```powershell
+<New-HostedContentFilterPolicy -Name "<Unique name>" | Set-HostedContentFilterPolicy -Identity "<Policy name>"> [-SpamAction Quarantine] [-SpamQuarantineTag <QuarantineTagName>] [-HighConfidenceSpamAction Quarantine] [-HighConfidenceSpamQuarantineTag <QuarantineTagName>] [-PhishSpamAction Quarantine] [-PhishQuarantineTag <QuarantineTagName>] [-HighConfidencePhishQuarantineTag <QuarantineTagName>] [-BulkSpamAction Quarantine] [-BulkQuarantineTag <QuarantineTagName>] ...
+```
+
+**Notes**:
+
+- The default value for the _HighConfidencePhishAction_ parameter is Quarantine, so you don't need to set the Quarantine action for high confidence phishing detections in new anti-spam policies. For all other spam filtering verdicts in new or existing anti-spam policies, the quarantine policy is only effective if the action value is Quarantine. To see the action values in existing anti-spam policies, run the following command:
+
+ ```powershell
+ Get-HostedContentFilterPolicy | Format-Table Name,*SpamAction,HighConfidencePhishAction
+ ```
+
+ For information about the default action values and the recommended action values for Standard and Strict, see [EOP anti-spam policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-spam-policy-settings).
+
+- A spam filtering verdict without a corresponding quarantine policy parameter means the [default quarantine policy](#step-2-assign-a-quarantine-policy-to-supported-features) for that verdict is used.
+
+ You only need to replace a default quarantine policy with a custom quarantine policy if you want to change the default end-user capabilities on quarantined messages.
+
+- A new anti-spam policy in PowerShell requires a spam filter policy (settings) using the **New-HostedContentFilterPolicy** cmdlet and a new spam filter rule (recipient filters) using the **New-HostedContentFilterRule** cmdlet. For instructions, see [Use PowerShell to create anti-spam policies](configure-your-spam-filter-policies.md#use-powershell-to-create-anti-spam-policies).
+
+This example creates a new spam filter policy named Research Department with the following settings:
+
+- The action for all spam filtering verdicts is set to Quarantine.
+- The custom quarantine policy named NoAccess that assigns **No access** permissions replaces any default quarantine policies that don't already assign **No access** permissions by default.
+
+```powershell
+New-HostedContentFilterPolicy -Name Research Department -SpamAction Quarantine -SpamQuarantineTag NoAccess -HighConfidenceSpamAction Quarantine -HighConfidenceSpamQuarantineTag NoAction -PhishSpamAction Quarantine -PhishQuarantineTag NoAction -BulkSpamAction Quarantine -BulkQuarantineTag NoAccess
+```
+
+For detailed syntax and parameter information, see [New-HostedContentFilterPolicy](/powershell/module/exchange/new-hostedcontentfilterpolicy).
+
+This example modifies the existing spam filter policy named Human Resources. The action for the spam quarantine verdict is set to Quarantine, and the custom quarantine policy named NoAccess is assigned.
+
+```powershell
+Set-HostedContentFilterPolicy -Identity "Human Resources" -SpamAction Quarantine -SpamQuarantineTag NoAccess
+```
+
+For detailed syntax and parameter information, see [Set-HostedContentFilterPolicy](/powershell/module/exchange/set-hostedcontentfilterpolicy).
+
+## Configure global quarantine notification settings in the Microsoft 365 Defender portal
+
+The global settings for quarantine policies allow you to customize the end-user spam notifications that are sent to recipients of messages that were quarantined. For more information about these notifications, see [End-user spam notifications](use-spam-notifications-to-release-and-report-quarantined-messages.md).
+
+1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Threat policies** \> **Rules** section \> **Quarantine policies** and then select **Quarantine policies**.
+
+2. On the **Quarantine policy** page, select **Global settings**.
+
+3. In the **Quarantine notification settings** flyout that opens, configure some or all of the following settings:
+
+ - **Display name**: Customize the sender's display name that's used in end-user spam notifications.
+
+ For each language that you've added, select the language in the second language box (don't click on the X) and enter the text value you want in the **Display name** box.
+
+ The following screenshot shows the customized display name in an end-user spam notification:
+
+ ![A customized sender display name in an end-user spam notification](../../media/quarantine-tags-esn-customization-display-name.png)
+
+ - **Disclaimer**: Add a custom disclaimer to the bottom of end-user spam notifications. The localized text, **A disclaimer from your organization:** is always included first, followed by the text you specify.
+
+ For each language that you've added, select the language in the second language box (don't click the X) and enter the text value you want in the **Disclaimer** box.
+
+ The following screenshot shows the customized disclaimer in an end-user spam notification:
+
+ ![A custom disclaimer at the bottom of an end-user spam notification](../../media/quarantine-tags-esn-customization-disclaimer.png)
+
+ - **Choose language**: End-user spam notifications are already localized based on the recipient's language settings. You can specify customized text in different languages for the **Display name** and **Disclaimer** values.
+
+ Select at least one language from the first language box and then click **Add**. You can select multiple languages by clicking **Add** after each one. A section language box shows all of the languages that you've selected:
+
+ ![Selected languages in the second language box in the global quarantine notification settings of quarantine policies](../../media/quarantine-tags-esn-customization-selected-languages.png)
+
+ - **Use my company logo**: Select this option to replace the default Microsoft logo that's use at the top of end-user spam notifications. Before you do this, you need to follow the instructions in [Customize the Microsoft 365 theme for your organization](../../admin/setup/customize-your-organization-theme.md) to upload your custom logo.
+
+ The following screenshot shows a custom logo in an end-user spam notification:
+
+ ![A custom logo in an end-user spam notification](../../media/quarantine-tags-esn-customization-logo.png)
+
+ - **Send end-user spam notification every (days)**: Select the frequency at which you would like the end user notification to go out in.
+
+## View quarantine policies in the Microsoft 365 Defender portal
+
+1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Threat policies** \> **Rules** section \> **Quarantine policies** and then select **Quarantine policies**.
+
+2. The **Quarantine policy** page shows the list of policies by **Name** and **Last updated** date.
+
+3. To view the settings of built-in or custom quarantine policies, select the quarantine policy from the list by clicking on the name.
+
+4. To view the global settings, click **Global settings**
+
+### View quarantine policies in PowerShell
+
+If you'd rather use PowerShell to view quarantine policies, do any of the following steps:
+
+- To view a summary list of all built-in or custom policies, run the following command:
+
+ ```powershell
+ Get-QuarantineTag | Format-Table Name
+ ```
+
+- To view the settings of built-in or custom quarantine policies, replace \<QuarantinePolicyName\> with the name of the quarantine policy, and run the following command:
+
+ ```powershell
+ Get-QuarantineTag -Identity "<QuarantinePolicyName>"
+ ```
+
+- To view the global settings for end-user spam notifications, run the following command:
+
+ ```powershell
+ Get-QuarantineTag -QuarantineTagType GlobalQuarantineTag
+ ```
+
+For detailed syntax and parameter information, see [Get-HostedContentFilterPolicy](/powershell/module/exchange/get-hostedcontentfilterpolicy).
+
+## Modify quarantine policies in the Microsoft 365 Defender portal
+
+1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Threat policies** \> **Rules** section \> **Quarantine policies** and then select **Quarantine policies**.
+
+2. On the **Quarantine policies** page, select the policy by clicking on the name.
+
+3. After you select the policy, click the ![Edit policy icon](../../media/m365-cc-sc-edit-icon.png) **Edit policy** icon that appears.
+
+4. The **Edit policy** wizard that opens is virtually identical to the **New policy** wizard as described in the [Create quarantine policies in the Microsoft 365 Defender portal](#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal) section earlier in this article.
+
+ The main difference is: you can't rename an existing policy.
+
+5. When you're finished modifying the policy, go to the **Summary** page and click **Submit**.
+
+### Modify quarantine policies in PowerShell
+
+If you'd rather use PowerShell to modify a custom quarantine policy, replace \<QuarantinePolicyName\> with the name of the quarantine policy, and use the following syntax:
+
+```powershell
+Set-QuarantineTag -Identity "<QuarantinePolicyName>" [Settings]
+```
+
+The available settings are the same as described for creating quarantine policies earlier in this article.
+
+For detailed syntax and parameter information, see [Set-QuarantineTag](/powershell/module/exchange/set-quarantinetag).
+
+## Remove quarantine policies in the Microsoft 365 Defender portal
+
+**Notes**:
+
+- You can't remove built-in quarantine policies.
+- Before you remove a custom quarantine policy, verify that it's not being used. For example, run the following command in PowerShell:
+
+ ```powershell
+ Get-HostedContentFilterPolicy | Format-List Name,*QuarantineTag
+ ```
+
+ If the quarantine policy is being used, [replace the assigned quarantine policy](#step-2-assign-a-quarantine-policy-to-supported-features) before you remove it.
+
+1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Threat policies** \> **Rules** section \> **Quarantine policies** and then select **Quarantine policies**.
+
+2. On the **Quarantine policy** page, select the custom quarantine policy that you want to remove by clicking on the name.
+
+3. After you select the policy, click the ![Delete policy icon](../../media/m365-cc-sc-delete-icon.png) **Delete policy** icon that appears.
+
+4. Click **Remove policy** in the confirmation dialog that appears.
+
+### Remove quarantine policies in PowerShell
+
+If you'd rather use PowerShell to remove a custom quarantine policy, replace \<QuarantinePolicyName\> with the name of the quarantine policy, and run the following command:
+
+```powershell
+Remove-QuarantineTag -Identity "<QuarantinePolicyName>"
+```
+
+For detailed syntax and parameter information, see [Remove-QuarantineTag](/powershell/module/exchange/remove-quarantinetag).
+
+## Quarantine policy permission details
+
+The following sections describe the effects of preset permission groups and individual permissions in the details of quarantined messages and in end-user spam notifications.
+
+### Preset permissions groups
+
+The individual permissions that are included in preset permission groups are listed in the table at the beginning of this article.
+
+#### Admin Only access
+
+If the quarantine policy assigns the **Admin Only access** permissions (no permissions), users will not able to see those messages that are quarantined:
+
+- **Quarantined message details**: No message will show in the end user view.
+- **End-user spam notifications**: No notification will be sent for those message
+
+#### Limited access
+
+If the quarantine policy assigns the **Limited access** permissions, users get the following capabilities:
+
+- **Quarantined message details**: The following buttons are available:
+ - **Request release**
+ - **View message header**
+ - **Preview message**
+ - **Block sender**
+ - **Remove from quarantine**
+
+ ![Available buttons in the quarantined message details if the quarantine policy gives the user Limited access permissions](../../media/quarantine-tags-quarantined-message-details-limited-access.png)
+
+- **End-user spam notifications**: The following buttons are available:
+ - **Block sender**
+ - **Review**
+
+ ![Available buttons in the end-user spam notification if the quarantine policy gives the user Limited access permissions](../../media/quarantine-tags-esn-limited-access.png)
+
+#### Full access
+
+If the quarantine policy assigns the **Full access** permissions (all available permissions), users get the following capabilities:
+
+- **Quarantined message details**: The following buttons are available:
+ - **Release message**
+ - **View message header**
+ - **Preview message**
+ - **Block sender**
+ - **Remove from quarantine**
+
+ ![Available buttons in the quarantined message details if the quarantine policy gives the user Full access permissions](../../media/quarantine-tags-quarantined-message-details-full-access.png)
+
+- **End-user spam notifications**: The following buttons are available:
+ - **Block sender**
+ - **Release**
+ - **Review**
+
+ ![Available buttons in the end-user spam notification if the quarantine policy gives the user Full access permissions](../../media/quarantine-tags-esn-full-access.png)
+
+### Individual permissions
+
+#### Block sender permission
+
+The **Block sender** permission (_PermissionToBlockSender_) controls access to the button that allows users to conveniently add the quarantined message sender to their Blocked Senders list.
+
+- **Quarantined message details**:
+ - **Block sender** permission enabled: The **Block sender** button is available.
+ - **Block sender** permission disabled: The **Block sender** button is not available.
+
+- **End-user spam notifications**:
+ - **Block sender** permission disabled: The **Block sender** button is not available.
+ - **Block sender** permission enabled: The **Block sender** button is available.
+
+For more information about the Blocked Senders list, see [Block messages from someone](https://support.microsoft.com/office/274ae301-5db2-4aad-be21-25413cede077#__toc304379667) and [Use Exchange Online PowerShell to configure the safelist collection on a mailbox](configure-junk-email-settings-on-exo-mailboxes.md#use-exchange-online-powershell-to-configure-the-safelist-collection-on-a-mailbox).
+
+#### Delete permission
+
+The **Delete** permission (_PermissionToDelete_) controls the ability to of users to delete their messages (messages where the user is a recipient) from quarantine.
+
+- **Quarantined message details**:
+ - **Delete** permission enabled: The **Remove from quarantine** button is available.
+ - **Delete** permission disabled: The **Remove from quarantine** button is not available.
+
+- **End-user spam notifications**: No effect.
+
+#### Preview permission
+
+The **Preview** permission (_PermissionToPreview_) controls the ability to of users to preview their messages in quarantine.
+
+- **Quarantined message details**:
+ - **Preview** permission enabled: The **Preview message** button is available.
+ - **Preview** permission disabled: The **Preview message** button is not available.
+
+- **End-user spam notifications**: No effect.
+
+#### Allow recipients to release a message from quarantine permission
+
+The **Allow recipients to release a message from quarantine** permission (_PermissionToRelease_) controls the ability of users to release their quarantined messages directly and without the approval of an admin.
+
+- **Quarantined message details**:
+ - Permission enabled: The **Release message** button is available.
+ - Permission disabled: The **Release message** button is not available.
+
+- **End-user spam notifications**:
+ - Permission enabled: The **Release** button is available.
+ - Permission disabled: The **Release** button is not available.
+
+#### Allow recipients to request a message to be released from quarantine permission
+
+The **Allow recipients to request a message to be released from quarantine** permission (_PermissionToRequestRelease_) controls the ability of users to _request_ the release of their quarantined messages. The message is only released after an admin approves the request.
+
+- **Quarantined message details**:
+ - Permission enabled: The **Request release** button is available.
+ - Permission disabled: The **Request release** button is not available.
+
+- **End-user spam notifications**: The **Release** button is not available.
security Recommended Settings For Eop And Office365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365.md
Title: Microsoft recommendations for EOP and Defender for Office 365 security settings keywords: Office 365 security recommendations, Sender Policy Framework, Domain-based Message Reporting and Conformance, DomainKeys Identified Mail, steps, how does it work, security baselines, baselines for EOP, baselines for Defender for Office 365 , set up Defender for Office 365 , set up EOP, configure Defender for Office 365, configure EOP, security configuration
+f1.keywords:
- NOCSH Previously updated : Last updated : audience: ITPro localization_priority: Normal
+search.appverid:
- MET150 ms.assetid: 6f64f2de-d626-48ed-8084-03cc72301aa4-+ - M365-security-compliance - m365initiative-defender-office365 description: What are best practices for Exchange Online Protection (EOP) and Defender for Office 365 security settings? What's the current recommendations for standard protection? What should be used if you want to be more strict? And what extras do you get if you also use Defender for Office 365?
In PowerShell, you use the [New-SafeAttachmentPolicy](/powershell/module/exchang
|Security feature name|Default|Standard|Strict|Comment| ||::|::|::||
-|**Safe Attachments unknown malware response** <p> _Enable_ and _Action_|**Off** <p> `-Enable $false`|**Block** <p> `-Enable $true` and `-Action Block`|**Block** <p> `-Enable $true` and `-Action Block`|When the _Enable_ parameter is $false, the value of the _Action_ parameter doesn't matter.|
+|**Safe Attachments unknown malware response** <p> _Enable_ and _Action_|**Off** <p> `-Enable $false` and `-Action Block`|**Block** <p> `-Enable $true` and `-Action Block`|**Block** <p> `-Enable $true` and `-Action Block`|When the _Enable_ parameter is $false, the value of the _Action_ parameter doesn't matter.|
|**Redirect attachment with detected attachments** : **Enable redirect** <p> _Redirect_ <p> _RedirectAddress_|Not selected and no email address specified. <p> `-Redirect $false` <p> _RedirectAddress_ is blank (`$null`)|Selected and specify an email address. <p> `$true` <p> an email address|Selected and specify an email address. <p> `$true` <p> an email address|Redirect messages to a security admin for review.| |**Apply the Safe Attachments detection response if scanning can't complete (timeout or errors)** <p> _ActionOnError_|Selected <p> `$true`|Selected <p> `$true`|Selected <p> `$true`|| |
security Safe Docs https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-docs.md
Previously updated : Last updated : audience: ITPro localization_priority: Normal
+search.appverid:
- MET150-
+ms.assetid:
+ - M365-security-compliance description: Learn about Safe Documents in Microsoft 365 E5 or Microsoft 365 E5 Security. ms.technology: mdo
Files sent by Safe Documents are not retained in Defender beyond the time needed
## Use the Microsoft 365 Defender to configure Safe Documents
-1. Open the Microsoft 365 Defender portal and go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Safe Attachments**.
+1. Open the Microsoft 365 Defender portal and go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Attachments** in the **Policies** section.
2. On the **Safe Attachments** page, click **Global settings**.
To learn more, see [Onboard to the Microsoft Defender for Endpoint service](/mic
To verify that you've enabled and configured Safe Documents, do any of the following steps: -- In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Safe Attachments** \> **Global settings**, and verify the **Turn on Safe Documents for Office clients** and **Allow people to click through Protected View even if Safe Documents identifies the file as malicious** settings.
+- In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Attachments** in the **Policies** section \> **Global settings**, and verify the **Turn on Safe Documents for Office clients** and **Allow people to click through Protected View even if Safe Documents identifies the file as malicious** settings.
- Run the following command in Exchange Online PowerShell and verify the property values:
security Set Up Safe Attachments Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/set-up-safe-attachments-policies.md
Title: Set up Safe Attachments policies in Microsoft Defender for Office 365
+f1.keywords:
- NOCSH
audience: Admin
localization_priority: Normal
+search.appverid:
- MET150 - MOE150 ms.assetid: 078eb946-819a-4e13-8673-fe0c0ad3a775-+ - M365-security-compliance description: Learn about how to define Safe Attachments policies to protect your organization from malicious files in email.
In Exchange Online PowerShell or standalone EOP PowerShell, you manage the polic
Creating a custom Safe Attachments policy in the Microsoft 365 Defender portal creates the safe attachment rule and the associated safe attachment policy at the same time using the same name for both.
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Safe Attachments**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Attachments** in the **Policies** section.
2. On the **Safe Attachments** page, click ![Create icon](../../media/m365-cc-sc-create-icon.png) **Create**.
Creating a custom Safe Attachments policy in the Microsoft 365 Defender portal c
## Use the Microsoft 365 Defender portal to view Safe Attachments policies
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Safe Attachments**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Attachments** in the **Policies** section.
2. On the **Safe Attachments** page, the following properties are displayed in the list of policies: - **Name**
Creating a custom Safe Attachments policy in the Microsoft 365 Defender portal c
## Use the Microsoft 365 Defender portal to modify Safe Attachments policies
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Safe Attachments**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Attachments** in the **Policies** section.
2. On the **Safe Attachments** page, select a policy from the list by clicking on the name.
-3. In the policy details flyout that appears, select **Edit** in each section to modify the settings within the section. For more information about the settings, see the [Use the Microsoft 365 Defender portal to create Safe Attachments policies](#use-the-microsoft-365-defender-portal-to-create-safe-attachments-policies) section earlier in this article.
+3. In the policy details flyout that appears, select **Edit** in each section to modify the settings within the section. For more information about the settings, see the [Use the Microsoft 365 Defender portal to create Safe Attachments policies](#use-the-microsoft-365-defender-portal-to-create-safe-attachments-policies) section earlier in this article.
To enable or disable a policy or set the policy priority order, see the following sections. ### Enable or disable Safe Attachments policies
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Safe Attachments**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Attachments** in the **Policies** section.
2. On the **Safe Attachments** page, select a policy from the list by clicking on the name.
Safe Attachments policies are displayed in the order they're processed (the firs
To change the priority of a policy, you click **Increase priority** or **Decrease priority** in the properties of the policy (you can't directly modify the **Priority** number in the Microsoft 365 Defender portal). Changing the priority of a policy only makes sense if you have multiple policies.
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Safe Attachments**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Attachments** in the **Policies** section.
2. On the **Safe Attachments** page, select a policy from the list by clicking on the name.
To change the priority of a policy, you click **Increase priority** or **Decreas
## Use the Microsoft 365 Defender portal to remove Safe Attachments policies
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Safe Attachments**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Attachments** in the **Policies** section.
2. On the **Safe Attachments** page, select a custom policy from the list by clicking on the name of the policy.
For detailed syntax and parameter information, see [Remove-SafeAttachmentRule](/
To verify that you've successfully created, modified, or removed Safe Attachments policies, do any of the following steps: -- In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Safe Attachments**. Verify the list of policies, their **Status** values, and their **Priority** values. To view more details, select the policy from the list by clicking on the name, and view the details in the fly out.
+- In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Attachments** in the **Policies** section. Verify the list of policies, their **Status** values, and their **Priority** values. To view more details, select the policy from the list by clicking on the name, and view the details in the fly out.
- In Exchange Online PowerShell or Exchange Online Protection PowerShell, replace \<Name\> with the name of the policy or rule, run the following command, and verify the settings:
security Set Up Safe Links Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/set-up-safe-links-policies.md
Title: Set up Safe Links policies in Microsoft Defender for Office 365
+f1.keywords:
- NOCSH audience: Admin Previously updated : Last updated : localization_priority: Normal
+search.appverid:
- MET150 - MOE150 ms.assetid: bdd5372d-775e-4442-9c1b-609627b94b5d-+ - M365-security-compliance description: Admins can learn how to view, create, modify, and delete Safe Links policies and global Safe Links settings in Microsoft Defender for Office 365. ms.technology: mdo
Creating a custom Safe Links policy in the Microsoft 365 Defender portal creates
2. On the **Safe Links** page, select a policy from the list by clicking on the name.
-3. In the policy details flyout that appears, select **Edit** in each section to modify the settings within the section. For more information about the settings, see the previous [Use the Microsoft 365 Defender portal to create Safe Links policies](#use-the-microsoft-365-defender-portal-to-create-safe-links-policies) section in this article.
+3. In the policy details flyout that appears, select **Edit** in each section to modify the settings within the section. For more information about the settings, see the previous [Use the Microsoft 365 Defender portal to create Safe Links policies](#use-the-microsoft-365-defender-portal-to-create-safe-links-policies) section in this article.
To enable or disable a policy or set the policy priority order, see the following sections. ### Enable or disable Safe Links policies
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Safe Links**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Links** in the **Policies** section.
2. On the **Safe Links** page, select a policy from the list by clicking on the name.
To change the priority of a policy, you click **Increase priority** or **Decreas
- In the Microsoft 365 Defender portal, you can only change the priority of the Safe Links policy after you create it. In PowerShell, you can override the default priority when you create the safe links rule (which can affect the priority of existing rules). - Safe Links policies are processed in the order that they're displayed (the first policy has the **Priority** value 0). For more information about the order of precedence and how multiple policies are evaluated and applied, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md).
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Safe Links**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Links** in the **Policies** section.
2. On the **Safe Links** page, select a policy from the list by clicking on the name.
To change the priority of a policy, you click **Increase priority** or **Decreas
## Use the Microsoft 365 Defender portal to remove Safe Links policies
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Safe Links**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Links** in the **Policies** section.
2. On the **Safe Links** page, select a policy from the list by clicking on the name. At the top of the policy details flyout that appears, click ![More actions icon](../../media/m365-cc-sc-more-actions-icon.png) **More actions** \> ![Delete policy icon](../../media/m365-cc-sc-delete-icon.png) **Delete policy**.
security Use Dkim To Validate Outbound Email https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email.md
Title: How to use DKIM for email in your custom domain
+f1.keywords:
- NOCSH
audience: ITPro
localization_priority: Priority
+search.appverid:
- MET150 ms.assetid: 56fee1c7-dc37-470e-9b09-33fff6d94617-+ - M365-security-compliance - m365initiative-defender-office365-+ - seo-marvel-apr2020 description: Learn how to use DomainKeys Identified Mail (DKIM) with Microsoft 365 to ensure messages sent from your custom domain are trusted by the destination email systems. ms.technology: mdo
In this example, if you had only published an SPF TXT record for your domain, th
> DKIM uses a private key to insert an encrypted signature into the message headers. The signing domain, or outbound domain, is inserted as the value of the **d=** field in the header. The verifying domain, or recipient's domain, then uses the **d=** field to look up the public key from DNS, and authenticate the message. If the message is verified, the DKIM check passes. ## Steps to Create, enable and disable DKIM from Microsoft 365 Defender portal
-All the accepted domains of your tenant will be shown in Microsoft 365 Defender portal under DKIM page. If you do not see it, add your accepted domain from [domains page](/microsoft-365/admin/setup/add-domain?view=o365-worldwide#add-a-domain).
+
+All the accepted domains of your tenant will be shown in Microsoft 365 Defender portal under DKIM page. If you do not see it, add your accepted domain from [domains page](/microsoft-365/admin/setup/add-domain#add-a-domain).
Once your domain is added, follow the steps as shown below to configure DKIM.
-Step 1: Click on the domain you wish to configure DKIM on DKIM page
-![image](https://user-images.githubusercontent.com/3039750/126996261-2d331ec1-fc83-4a9d-a014-bd7e1854eb07.png)
+Step 1: Click on the domain you wish to configure DKIM on DKIM page.
+
+![DKIM page in the Microsoft 365 Defender portal with a domain selected](../../media/126996261-2d331ec1-fc83-4a9d-a014-bd7e1854eb07.png)
+
+Step 2: Click on Create DKIM keys.
-Step 2: Click on Create keys
-![image](https://user-images.githubusercontent.com/3039750/127001645-4ccf89e6-6310-4a91-85d6-aaedbfd501d3.png)
+![Domain details flyout with the Create DKIM keys button](../../media/127001645-4ccf89e6-6310-4a91-85d6-aaedbfd501d3.png)
Step 3: Copy the CNAMES shown in the pop up window
-![image](https://user-images.githubusercontent.com/3039750/127001787-3cce2c29-e0e4-4712-af53-c51dcba33c46.png)
-Step 4: Publish the copied CNAME records to your DNS service provider.
+![Publish CNAMEs pop up window that contains the two CNAME records to copy](../../media/127001787-3cce2c29-e0e4-4712-af53-c51dcba33c46.png)
+
+Step 4: Publish the copied CNAME records to your DNS service provider.
+ On your DNS provider's website, add CNAME records for DKIM that you want to enable. Make sure that the fields are set to the following values for each:
+```text
Record Type: CNAME (Alias)
-Host: Paste the values you copy from DKIM page.
+> Host: Paste the values you copy from DKIM page.
Points to address: Copy the value from DKIM page. TTL: 3600 (or your provider default)
+```
+
+Step 5: Return to DKIM page to enable DKIM.
-Step 5: Return to DKIM page to enable DKIM
-![image](https://user-images.githubusercontent.com/3039750/126995186-9b3fdefa-a3a9-4f5a-9304-1099a2ce7cef.png)
+![Slide the toggle to Enabled to enable DKIM](../../media/126995186-9b3fdefa-a3a9-4f5a-9304-1099a2ce7cef.png)
+
+If you see CNAME record doesn't exist error, it might be due to:
-If you see CNAME record doesn't exist error, it might be due to
1. Synchronization with DNS server, which might take few seconds to hours, if the problem persists repeat the steps again 2. Check for any copy paste errors, like additional space or tabs etc. If you wish to disable DKIM, toggle back to disable mode - ## Steps to manually upgrade your 1024-bit keys to 2048-bit DKIM encryption keys <a name="1024to2048DKIM"> </a>
Once you have published the CNAME records in DNS, you are ready to enable DKIM s
1. Open the Microsoft 365 Defender portal [using your work or school account](https://support.microsoft.com/office/e9eb7d51-5430-4929-91ab-6157c5a050b4).
-2. Go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Rules** section \> **DKIM**. Or, to go directly to the DKIM page, use <https://security.microsoft.com/dkimv2>.
+2. Go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **DKIM** in the **Rules** section. Or, to go directly to the DKIM page, use <https://security.microsoft.com/dkimv2>.
3. On the **DKIM** page, select the domain by clicking on the name.
Although DKIM is designed to help prevent spoofing, DKIM works better with SPF a
## More information
-Key rotation via PowerShell
-[Rotate-DkimSigningConfig](/powershell/module/exchange/rotate-dkimsigningconfig)
+Key rotation via PowerShell: [Rotate-DkimSigningConfig](/powershell/module/exchange/rotate-dkimsigningconfig)
security Walkthrough Spoof Intelligence Insight https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/walkthrough-spoof-intelligence-insight.md
There are two ways to allow and block spoofed senders:
### Manage spoofed senders in the spoof intelligence policy
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section.
2. On the **Anti-spam policies** page, select **Spoof intelligence policy** by clicking on the name.
For detailed syntax and parameter information, see [Set-PhishFilterPolicy](/powe
To verify that you've configured spoof intelligence with senders who are allowed and not allowed to spoof, use any of the following steps: -- **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-spam** \> **Spoof intelligence policy** \> select **Show me senders I already reviewed** \> select the **Your Domains** or **External Domains** tab, and verify the **Allowed to spoof?** value for the sender.
+- **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section \> **Spoof intelligence policy** \> select **Show me senders I already reviewed** \> select the **Your Domains** or **External Domains** tab, and verify the **Allowed to spoof?** value for the sender.
- In PowerShell, run the following commands to view the senders who are allowed and not allowed to spoof:
security Whats New In Defender For Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/whats-new-in-defender-for-office-365.md
Learn more by watching [this video](https://www.youtube.com/watch?v=Tdz6KfruDGo&
## July 2021 - [Email analysis improvements in automated investigations](email-analysis-investigations.md)
+- [Advanced Delivery](configure-advanced-delivery.md): Introducing a new capability for configuring the delivery of third-party phishing simulations to users and unfiltered messages to security operation mailboxes.
- [Safe Links for Microsoft Teams](safe-links.md#safe-links-settings-for-microsoft-teams)
+- New alert policies for the following scenarios: compromised mailboxes, Forms phishing, malicious mails delivered due to overrides and rounding out ZAP
+ - Suspicious email forwarding activity
+ - User restricted from sharing forms and collecting responses
+ - Form blocked due to potential phishing attempt
+ - Form flagged and confirmed as phishing
+ - [New alert policies for ZAP](new-defender-alert-policies.md)
+- Microsoft Defender for Office 365 alerts are now integrated into Microsoft 365 Defender - [Microsoft 365 Defender Unified Alerts Queue and Unified Alerts Queue](investigate-alerts.md)
+- [User Tags](user-tags.md) are now integrated into Microsoft Defender for Office 365 alerting experiences, including: the alerts queue and details in Office 365 Security & Compliance, and scoping custom alert policies to user tags to create targeted alert policies.
+ - Tags are also available in the unified alerts queue in the Microsoft 365 Defender center (Microsoft Defender for Office 365 Plan 2)
## June 2021 - New first contact safety tip setting within anti-phishing policies. This safety tip is shown when recipients first receive an email from a sender or do not often receive email from a sender. For more information on this setting and how to configure it, see the following articles:--- [First contact safety tip](set-up-anti-phishing-policies.md#first-contact-safety-tip)-- [Configure anti-phishing policies in EOP](configure-anti-phishing-policies-eop.md)-- [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-mdo-anti-phishing-policies.md)
+ - [First contact safety tip](set-up-anti-phishing-policies.md#first-contact-safety-tip)
+ - [Configure anti-phishing policies in EOP](configure-anti-phishing-policies-eop.md)
+ - [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-mdo-anti-phishing-policies.md)
## April/May 2021