+## Watch: Act on a usage report in Microsoft 365

+Check out this video and others on our [YouTube channel](https://go.microsoft.com/fwlink/?linkid=2198103).<br><br>

+Reports provide information about your organization's usage data. By default, reports display information with identifiable names for users, groups, and sites. Starting September 1, 2021, we are hiding user information by default for all reports as part of our ongoing commitment to help companies support their local privacy laws.

+## Add an existing domain to your Microsoft 365 Business Basic subscription

+1. Go to the Microsoft 365 admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">https://admin.microsoft.com</a>.

+You can add users in the wizard, but you can also [add users later](../add-users/add-users.md) in the admin center.

+ For more information about the setup wizard and the admin center **Setup** page, see [Difference between the setup wizard and the Setup page](o365-setup-wizard-and-setup-page.md).

+## Watch: Set up business email with a new domain

+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RWyVVA]

+## Steps: Set up business email with a new domain

+1. From the **How you'll sign in** page on the Microsoft 365 Business Standard sign up, choose **Create a new business email account (advanced)**.

+2. Follow the steps to buy a new domain and enter the domain name you want to use (like contoso.com). After you've completed buying your domain, you can [add users and licenses](../add-users/add-users.md) and install your Office apps in the admin center.

+## Finish setting up

+Follow the steps below to set up Outlook, Teams, OneDrive and your website.

+### Step: Set up Outlook for email

+1. On the Windows Start menu, search for Outlook, and select it.

+ (If you're using a Mac, open Outlook from the toolbar or locate it using the Finder.)

+ If you've just installed Outlook, on the Welcome page, select **Next**.

+2. Choose **File** \> **Info** \> **Add Account**.

+3. Enter your Microsoft email address and select **Connect**.

+## Watch: Set up Outlook for email

+> [!VIDEO https://www.microsoft.com/videoplayer/embed/9fe86884-8a83-42cc-bca9-61a12e6dad31?autoplay=false]

+

+More at [Set up Outlook for email](https://support.microsoft.com/office/f5bf0cd1-e1f3-4b0d-a022-ecab17efe86f).

+

+### Import email

+If you were using Outlook with another email account, you can import your previous email, calendar, and contacts into your new Microsoft account.

+

+1. **Export your old email**

+ In Outlook, choose **File** \> **Open &amp; Export** \> **Import/Export**.

+ Select **Export to a File** and then follow the steps to export your Outlook Data File (.pst) and any subfolders.

+2. **Import your old email**

+ In Outlook, choose **File** \> **Open &amp; Export** \> **Import/Export** again.

+ This time, select **Import from another program or file** and follow the steps to import the backup file you created when you exported your old email.

+## Watch: Import and redirect email

+> [!VIDEO https://www.microsoft.com/videoplayer/embed/40f7df36-9e24-44e5-8791-e9ed0dd8fd21?autoplay=false]

+

+More at [Import email with Outlook](https://support.microsoft.com/office/6a3771d4-4c1d-4a25-92a6-0b8e476335de).

+You can also use <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Exchange admin center</a> to import everyone's email. For more information, see [migrate multiple email accounts](/Exchange/mailbox-migration/mailbox-migration).

+## Set up Microsoft Teams and OneDrive for business

+Select the OneDrive cloud icon from your taskbar and follow the steps to move your files to your new OneDrive for Business folder. Select **Next** to set up Microsoft Teams.

+1. Open Microsoft Teams, select your profile icon, and then **Add work or school account**. Follow the steps to add your new account to Teams.

+## Use a public website

+Microsoft 365 doesn't include a public website for your business. If you want to set one up, consider using a Microsoft partner, such as GoDaddy or WIX.

+

+1. From the admin center, go to **Resources**, and then select **Public website**.

+2. Select **Learn more** under one of the options, and then sign up with a website partner and use their tools to set up and design your site.

+## Watch: Create your business website

+> [!VIDEO https://www.microsoft.com/videoplayer/embed/4839abc6-9323-4cbf-a79d-2907235f9ebb]

+## Invite users to join your subscription and organization

+Once you've set up your organization, you can invite other users to join your Microsoft 365 business subscription. They'll get access to all the features of the subscription.

+[Invite users to my subscription](../simplified-signup/admin-invite-business-standard.md)

+Let your users know they can follow the steps in the articles below to join your organization and subscription.

+- [Accept an email invitation](../simplified-signup/user-invite-business-standard.md)

+- [Accept an email invitation using an Outlook, Yahoo, Gmail or other account (User)](../simplified-signup/user-invite-msa-nodomain-join.md)

+## Related topics

+[Migrate data to my Microsoft 365 Business Standard subscription](../simplified-signup/migrate-data-business-standard.md)

+ Title: "Sign up for Microsoft 365 Business Basic"

+f1.keywords:

+- NOCSH

+audience: Admin

+ms.localizationpriority: high

+- M365-subscription-management

+- Adm_O365

+- Adm_TOC

+- Adm_O365_Setup

+- TRN_SMB

+- TRN_M365B

+- OKR_SMB_Videos

+- AdminSurgePortfolio

+- AdminTemplateSet

+search.appverid:

+- MET150

+- MOE150

+- BEA160

+description: "Learn how to sign up for a Microsoft 365 Business Basic subscription."

+# Sign up for Microsoft 365 Business Basic

+Want to sign up for a Microsoft 365 Business Basic?

+There are a couple of ways to get started:

+- **[Buy](https://go.microsoft.com/fwlink/?linkid=2181424) Microsoft 365 Business Basic and complete the set up**. [Follow the steps below for info on how to buy](#sign-up-steps).

+- **For Microsoft partners**: **Do we have a link here?**

+**Need something different?** You can:

+- [Sign up for a home or family plan](https://go.microsoft.com/fwlink/?linkid=2109398) if you're not buying for a business.

+> [!Note]

+> Microsoft 365 Business Basic subscription is for commercial use and is intended for business customers.

+## Sign up steps

+To buy, and sign up for Microsoft 365 Business Basic subscription, complete the following steps.

+> [!IMPORTANT]

+> The person who signs up for Microsoft 365 for business (usually the business owner) automatically becomes the technical administrator of the organization. You can add other people as admins if you want help managing your Microsoft 365 services. Check out [Assign admin roles](../add-users/assign-admin-roles.md) for more info.

+1. On the [For business page](https://go.microsoft.com/fwlink/?linkid=2181424), see what's included in Microsoft 365. Under Microsoft 365 Business Basic, select **Buy now**.

+2. On the **Thank you for choosing Microsoft 365 Business Basic** page, enter an email address that you already use. This can be any address you want Microsoft to use to communicate with you during setup. It is also the address where we'll send you information about your bill and renewals. Select **Next**.

+3. Select **Set up account** and enter your name, business phone number, business size, company name, and location. Select **Next**.

+> [!NOTE]

+> We display your company name in the Microsoft 365 admin center. This is where you manage users, licenses and other features and services. We also include it in any internal SharePoint site URLs.

+4. Help us make sure this is you. Enter a number that we can use to reach you and select **Send Verification Code**. You'll receive a text. Enter your code and select **Verify**.

+5. Decide how you'll sign in to Microsoft 365. You can [sign in with your current personal email or [create a new account](setup-business-basic.md) by adding a domain.

+6. Select how many business licenses you want for your organization and select **Add payment method** and continue with checkout to **Place order**.

+3. On the **Confirmation details** page, we'll give you some more info about your subscription. You can now go to the Microsoft 365 admin center to add users, install Office apps, invite your team to use Microsoft 365 and more. We'll also send you an email with set up steps.

+Follow these steps to [finish setting up](setup-apps-for-business.md) your Microsoft Business Basic subscription. You can also [add a domain](../setup/add-domain.md) when you're ready.

+## Choosing the right business subscription

+When signing up for Microsoft 365 Business Basic, you have 2 options for how to get started. Evaluate three key factors to choose which best meets your needs:

+- Which apps and services do you want to use straight away?

+- How much technical skill do you have?

+- Do you need Microsoft to act as a processor for your data?

+The table below outlines each choice.

+||**Option 1** ΓÇô Sign in with Outlook, Hotmail, Yahoo, Gmail or other email account [(Simplified Sign-up)](#terms-of-service-update-for-simplified-sign-up-mode)|**Option 2** ΓÇô Add a business domain and create a new business email account |

+|:--|:--|:--|

+|Available apps and services <br/> |Use Word for the web, Excel for the web, PowerPoint for the web, Teams for the web and Access for the web. OneDrive and SharePoint desktop app are included. This set of apps is best for very small businesses who don't need branded email immediately, or who already use branded email from a different provider and do not intend to switch to use Microsoft Exchange. YouΓÇÖll use Outlook with your existing email account (be it outlook.com, Hotmail, Yahoo, Gmail or other). <br/> |Use Word for the web, Excel for the web, PowerPoint for the web, Teams for the web and Access for the web. OneDrive and SharePoint desktop app are included. Microsoft 365 Business Basic with Option 2 also lets you access a wide range of additional

+|Required knowledge <br/> |LetΓÇÖs you get started without technical know-how. <br/> |Requires you to buy a domain, or to own a domain. You may need technical knowledge to prove ownership of the domain. <br/> |

+|Data handling <br/> |Available under the Supplement to the [Microsoft Services Agreement](https://go.microsoft.com/fwlink/p/?linkid=2180702) and is best for businesses that want some remote work and collaboration tools and are comfortable with Microsoft acting as controller for your data under the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?LinkId=521839). Subscribers to services using this option will not have access to an individualΓÇÖs user content or data until a domain is attached. Subscribers should evaluate data ownership and intellectual property rights considerations based on their needs. For example, if you are working collaboratively with other users on a document stored in their account, they may choose to make those documents inaccessible to you. As such, you should evaluate data ownership and intellectual property rights considerations accordingly. Separately, users may choose not to transfer documents in their Simplified Sign-Up account to your Domain Account subscription, even after you invite them to do so. This means their documents may also not be accessible to you even if you add a domain account later <br/> |Available under the [Microsoft Online Subscription Agreement](https://go.microsoft.com/fwlink/p/?linkid=2180430) and is best for businesses that need Microsoft to act as a processor for their data under Microsoft's [Data Protection Addendum](https://go.microsoft.com/fwlink/p/?linkid=2180314) and need our full suite of remote work and collaboration tools. Subscribers who are in regulated industries or seek more control, both over the use of the services by your employees and over processing of related data by Microsoft, should choose Option 2 and attach a domain and sign up under the Domain Account enterprise-level agreement. <br/> |

+Use these three factors to determine which of the two options is best for your business needs.

+### Option 1: Sign in with your Outlook, Hotmail, Yahoo, Gmail or other email account

+You'll sign in to Microsoft 365 with this email address. For example, alliebellew@hotmail.com.

+1. Create a password on the next page, and select **Create account** to continue. On the next page, read about how we handle your data and select whether you want Microsoft Partners to contact you. Select **Next**.

+2. Select how many Microsoft 365 Business Basic licenses you want for your organization and select **Add payment method** and continue with checkout to **Place order**.

+3. On the **Confirmation details** page, we'll give you some more info about your subscription. You can now go to the Microsoft 365 admin center to add users, install Office apps, invite your team to use Microsoft 365 and more. We'll also send you an email with set up steps for Microsoft 365 Business Basic.

+Remember this option doesn't provide branded email, admin control for use of the services by other users, or industry specific compliance support. Subscribers don't have any access or control over other usersΓÇÖ (employees) usage or documents under this option Users may choose not to transfer data created in storage such as OneDrive/Teams to your upgraded, enterprise-level domain account should you not choose option 2 immediately.

+<!--This option isn't recommended for larger businesses, including specialty industries such as healthcare or legal.-->

+### Option 2: Create a new business email account and attach a domain

+With this option, youΓÇÖll be able to use Microsoft 365 Exchange as your professional, branded email provider. All your users will have a shared domain email address. For example, their username, followed by @contoso.com. You and your users sign into Microsoft 365 with this new email address. When you follow this process (add a domain and create new business email accounts), youΓÇÖll get access to all the features provided in Microsoft 365 Business Basic. For steps on how to buy or add a domain, see [Set up Microsoft 365 Business Basic](../setup/setup-business-basic.md).

+This option provides immediate access to the full suite of features in your Microsoft 365 Business subscription but may require technical steps to be completed up front.

+If you would like to add a domain and create a business email account, you can follow the steps in the articles below:

+- [Add a domain to Microsoft 365](../setup/add-domain.md)

+- [Finish setting up](setup-business-basic.md#finish-setting-up)

+## Terms of service update for Simplified Sign Up mode

+**Applies to: Existing subscribers of Microsoft 365 Business Basic who previously purchased using Simplified Sign-up mode**.

+If you previously used Simplified Sign Up mode to purchase a business subscription before October 2021 without adding a business domain you may need to accept new terms of service for uninterrupted service and usage of the Microsoft Office apps. You may be sent emails or you'll see in-app prompts when you sign in to Microsoft 365 admin Center.

+The Simplified Sign Up terms of use have been recently updated, and notably they clarify licensing and data ownership for multi-user business subscriptions. For continued service of your business subscription, you may either visit the [Microsoft 365 admin Center](https://go.microsoft.com/fwlink/?linkid=2024339) and stay using **Simplified Sign Up** (and agree to use the Microsoft Services Agreement Supplemental), or visit the [Microsoft 365 admin Center](https://go.microsoft.com/fwlink/?linkid=2024339) and add a **business domain** (and use the Microsoft Online Services Agreement). To help you choose which of these two modes best suits your needs, consult the table at the top of this article.

+Should you choose not to accept the updated terms for Simplified Sign Up or to add a business domain, your subscription will not automatically renew, and at the end of your current subscription contract, you will lose access to the Office apps. Your OneDrive data will be retained for 90 days for you to make copies of it, and then it will be deleted.

+## Frequently asked questions

+### What is a business email and what are the advantages to setting one up?

+A business email is an email that uses your own domain name. For example, if you own the domain name `contoso.com`, you can build a website using the url `www.contoso.com`, but you can also have a custom email address such as yourname@contoso.com. This is referred to as a branded business email as it gives your email a professional look.

+### How do I get a new business email address?

+There are three options for getting a business email.

+- You can use a suggested onmicrosoft.com domain for free (someone@mybusiness.onmicrosoft.com).

+- You can buy a new domain to have a more compact email address (mybusinessname@contoso.com).

+- You use a domain name that you already own.

+### Why might I need to verify my domain to create a business email?

+If you choose to use a domain you already own, you can use it for your email address with Microsoft 365. As part of sign up process, we ask you to verify the domain so you can send emails via Microsoft 365. This confirms that you are the owner of the domain that is sending emails with that identity, which enhances security and prevents fraudulent activity.

+### Is there a benefit to paying monthly vs annually?

+To provide customers with the greatest amount of flexibility, different payment options are available.

+- Microsoft 365 Business Basic, Apps for business, Business Standard, and Business Premium plans are available for monthly commitment payment or annual commitment payment.

+- Monthly commitment payment: You pay month by month, and you can cancel at any time.

+- Annual commitment payment: You sign up for a one-year subscription, but you can choose to pay month to month or pay for the entire year at the time you sign up. There is a discount for using this payment option.

+### How does recurring billing work?

+When Recurring billing is on, your subscription will continue to be billed each year on the day you subscribed. You can turn it off or back on again in the admin center if your subscription is active. Learn more at [Turn recurring billing off or on](../../commerce/subscriptions/renew-your-subscription.md#turn-recurring-billing-off-or-on).

+### What do I do if I want to change my business name?

+Contact our small business support experts who can help you change your business name. Learn more at [Get support](../get-help-support.md).

+## Set up Microsoft 365 Business Basic

+For steps on how to buy or add a domain, see [Set up Microsoft 365 Business Basic with a new or existing domain](../setup/setup-business-basic.md).

+ Title: "Invite users to a Microsoft 365 business subscription"

+# Invite users to a Microsoft 365 for business subscription (Admin)

+> These steps apply to Microsoft 365 Business Standard, Microsoft 365 Business Basic and Microsoft 365 Apps for business.

+## Share an invitation to a Microsoft 365 for business subscription

+# Migrate data to my Microsoft 365 for business subscription

+ Title: "Accept an email invitation to a Microsoft 365 for business subscription (User)"

+description: "Accept invite to join a Microsoft 365 for business organization"

+# Accept an email invitation to a Microsoft 365 for business subscription (User)

+> [!IMPORTANT]

+> These steps apply to Microsoft 365 Business Standard, Microsoft 365 Business Basic and Microsoft 365 Apps for business.

+> If youΓÇÖre an admin and youΓÇÖre looking for steps on how to send a user an invite to your Microsoft 365 for business subscription, check out [Invite users to Microsoft 365 Business Standard (Admin)](admin-invite-business-standard.md).

+## Join a Microsoft 365 for business organization

+### Next steps - Migrate your data to Microsoft 365 for business

+Follow the steps in the [Migrate data to my Microsoft 365 for business subscription](migrate-data-business-standard.md) to move your OneDrive, Outlook and Teams data.

+Your data will remain in your old account, nothing will be deleted. You will be still able to sign in to your old Gmail, Outlook, Yahoo, or other email account like you did before. You should now move your work files to your new work account. Learn how to do that here: [Migrate data to my Microsoft 365 for business subscription](migrate-data-business-standard.md).

+When using an upgraded Microsoft 365 Business account, your documents, email and data that you create within Microsoft Office (and within other apps in Microsoft 365 for business subscriptions) will be owned by the technical administrator in your organization. For example, the person who sent you the invitation email or your business owner.

+ Title: "Accept an email invitation to a Microsoft 365 for business subscription organization using an Outlook, Yahoo, Gmail or other account (User)"

+# Accept an email invitation to a Microsoft 365 for business subscription organization using an Outlook, Yahoo, Gmail or other account (User)

+> [!IMPORTANT]

+> These steps apply to Microsoft 365 Business Standard, Microsoft 365 Business Basic and Microsoft 365 Apps for business.

+> If youΓÇÖre an admin and youΓÇÖre looking for steps on how to send a user an invite to your Microsoft 365 for business subscription, check out [Invite users to Microsoft 365 for business (Admin)](admin-invite-business-standard.md).

+## Join a Microsoft 365 for business organization using an Outlook, Yahoo, Gmail or other account

+Microsoft Purview Communication Compliance provides the tools to help organizations detect regulatory compliance violations (e.g. SEC or FINRA), such as sensitive or confidential information, harassing or threatening language, and sharing of adult content. Built with privacy by design, usernames are pseudonymized by default, role-based access controls are built in, investigators are opted in by an admin, and audit logs are in place to ensure user-level privacy.

+- (preview) Document or attachment is password protected (.pdf, Office files and Symantec PGP encrypted files are fully supported).This predicate doesnΓÇÖt detect digital rights managed (DRM) encrypted or permission protected files.

+- (preview) Content is not labeled (.pdf, Office files are fully supported). This predicate detects content that doesn't have a sensitivity label applied. To help ensure only supported file types are detected, you should use this condition with the **File extension is** or **File type is** conditions.

+## Encryption-based label matching for documents

+When a document has been encrypted with administrator-defined permissions, the encryption information includes information about a matching sensitivity label. As a result, when a user opens that document in an Office app, the matching label is displayed in the Office app and persists if the document is saved.

+In this scenario, the matching sensitivity label can label an unlabeled document, and replace an existing label that doesn't apply encryption. For example, the **General** label is replaced with **Confidential / All Employees**. Content markings from the matching label aren't automatically applied, unless the document was previously unlabeled and you're using the AIP Add-in.

+This scenario helps to move older encryption solutions from protection templates to sensitivity labels that apply encryption.

+However, you will also see this behavior with a labeling scenario for email attachments when they are opened by the recipient. For example:

+1. A user creates an email and attaches an unencrypted Office document, and then applies a label to the email.

+

+ The label applies encryption with permissions that are set by the administrator, rather than the Do Not Forward or Encrypt-Only options. For example, for the label configuration, the admin selects **Assign permissions now**, and specifies all employees have read access.

+2. When the email is sent, the [attachment automatically inherits the encryption, but not the label](encryption-sensitivity-labels.md#email-attachments-for-encrypted-email-messages).

+3. When a recipient in the same tenant opens the encrypted document, a matching label for the admin-defined permissions is automatically displayed for the document, and persists if the document is saved.

+

+ As an auditing event that's displayed in Activity Explorer, this user applied the label, not the email sender.

+Encryption-based label matching works only within the tenant, for admin-defined permissions, and the matching sensitivity label must be published to the user who opens the document.

+ > If you've selected one or more folders or are migrating a large set of files, classification might take up to 24 hours.

+## August 2022

+- Defender Vulnerability Management is now supported for Amazon Linux 2 and Fedora 33 or higher.

+- [Broswer extensions APIs](../defender-endpoint/get-assessment-browser-extensions.md)</br>

+ You can now use the new broswer extenstions APIs to view all browser extensions installed in your organization, including installed versions, permissions requested, and associated risk.

+- [Extended software inventory API support for non product code software](../defender-endpoint/get-assessment-non-cpe-software-inventory.md)</br>

+ A new API is now available and returns all the data for installed software that doesn't have a [Common Platform Enumeration(CPE)](https://nvd.nist.gov/products/cpe). The information returned by this API, along with the information returned by the Export software inventory assessment API, for software that does have a CPE, gives you full visibility into the software installed across your organization and the devices itΓÇÖs installed on.

+## Report good email to Microsoft

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to the **Submissions** page at **Actions & submissions** \> **Submissions**. To go directly to the **Submissions** page, use <https://security.microsoft.com/reportsubmission>.

+2. On the **Submissions** page, verify that the **Emails** tab is selected.

+3. On the **Emails** tab, click  **Submit to Microsoft for analysis**.

+4. In the **Submit to Microsoft for analysis** flyout that appears, enter the following information:

+ - **Select the submission type**: Verify the value **Email** is selected.

+ - **Add the network message ID or upload the email file**: Select one of the following options:

+ - **Add the email network message ID**: This is a GUID value that's available in the **X-MS-Exchange-Organization-Network-Message-Id** header in the message or in the **X-MS-Office365-Filtering-Correlation-Id** header in quarantined messages.

+ - **Upload the email file (.msg or .eml)**: Click **Browse files**. In the dialog that opens, find and select the .eml or .msg file, and then click **Open**.

+ - **Choose a recipient who had an issue**: Specify the recipient that you would like to run a policy check against. The policy check will determine if the email was blocked due to user or organization policies.

+ - **Select a reason for submitting to Microsoft**: Select **Should not have been blocked (False positive)**, and then configure the following settings:

+ - **Allow emails with similar attributes (URL, sender, etc.)**: Turn on this setting .

+ - **Remove allow entry after**: The default value is **30 days**, but you can select from the following values:

+ - **1 day**

+ - **7 days**

+ - **30 days**

+ - **Specific date**: The maximum value is 30 days from today.

+ For spoofed senders, this value is meaningless, because entries for spoofed senders never expire.

+ - **Allow entry note**: Enter optional information about why you're allowing this email.

+ For spoofed senders, any value you enter here is not shown in the allow entry on the **Spoofed senders** tab on the **Tenant Allow/Block List**.

+ When you're finished, click **Submit**, and then click **Done**.

+ :::image type="content" source="../../media/admin-submission-email-allow.png" alt-text="Submit a false positive (good) email to Microsoft for analysis on the Submissions page in the Defender portal." lightbox="../../media/admin-submission-email-allow.png":::

+After a few moments, the allow entry will appear on the **Domains & addresses** or **Spoofed senders** tab on the **Tenant Allow/Block List** page.

+> [!NOTE]

+>

+> - When you override the verdict in the spoof intelligence insight, the spoofed sender becomes a manual allow or block entry that only appears on the **Spoofed senders** tab in the Tenant Allow/Block List.

+> - If the sender has not already been blocked, submitting the email message to Microsoft won't create an allow entry in the Tenant Allow/Block List.

+> - Allows are added during mail flow, based on which filters determined the message to be malicious. For example, if the sender and a URL in the message were determined to be bad, an allow entry is created for the sender, and an allow entry is created for the URL.

+> - When that entity (domain or email address, URL, file) is encountered again, all filters associated with that entity are skipped.

+> - During mail flow, if messages from the domain or email address pass other checks in the filtering stack, the messages will be delivered. For example, if [email authentication](email-validation-and-authentication.md) passes, a message from a sender in the allow entry will be delivered.

+## Report good email attachments to Microsoft

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to the **Submissions** page at **Actions & submissions** \> **Submissions**. To go directly to the **Submissions** page, use <https://security.microsoft.com/reportsubmission>.

+2. On the **Submissions** page, select the **Email attachments** tab.

+3. On the **Email attachments** tab, click  **Submit to Microsoft for analysis**.

+4. On the **Submit to Microsoft for analysis** flyout that appears, enter the following information:

+ - **Select the submission type**: Verify the value **Email attachment** is selected.

+ - **File**: Click **Browse files** to find and select the file to submit.

+ - **Select a reason for submitting to Microsoft**: Select **Should not have been blocked (False positive)**, and then configure the following settings:

+ - **Allow this file**: Turn on this setting .

+ - **Remove allow entry after**: The default value is **30 days**, but you can select from the following values:

+ - **1 day**

+ - **7 days**

+ - **30 days**

+ - **Specific date**: The maximum value is 30 days from today.

+ - **Allow entry note**: Enter optional information about why you're allowing this file.

+ When you're finished, click **Submit**, and then click **Done**.

+ :::image type="content" source="../../media/admin-submission-file-allow.png" alt-text="Submit a false positive (good) email attachment to Microsoft for analysis on the Submissions page in the Defender portal." lightbox="../../media/admin-submission-file-allow.png":::

+After a few moments, an allow entry will appear on the **Files** tab on the **Tenant Allow/Block List** page.

+> [!NOTE]

+> When the file is encountered again, it's not sent for [Safe Attachments](safe-attachments.md) detonation or file reputation checks, and all other file-based filters are skipped. During mail flow, if messages containing the file pass other non-file checks in the filtering stack, the messages will be delivered.

+## Report good URLs to Microsoft

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to the **Submissions** page at **Actions & submissions** \> **Submissions**. To go directly to the **Submissions** page, use <https://security.microsoft.com/reportsubmission>.

+2. On the **Submissions** page, select the **URLs** tab

+3. On the **URLs** tab, click  **Submit to Microsoft for analysis**.

+4. In the **Submit to Microsoft for analysis** flyout that appears, enter the following information:

+ - **Select the submission type**: Verify the value **URL** is selected.

+ - **URL**: Enter the full URL (for example, `https://www.fabrikam.com/marketing.html`), and then select it in the box that appears.

+ - **Select a reason for submitting to Microsoft**: Select **Should not have been blocked (False positive)**, and then configure the following settings:

+ - **Allow this URL**: Turn on this setting .

+ - **Remove allow entry after**: The default value is **30 days**, but you can select from the following values:

+ - **1 day**

+ - **7 days**

+ - **30 days**

+ - **Specific date**: The maximum value is 30 days from today.

+ - **Allow entry note**: Enter optional information about why you're allowing this URL.

+ When you're finished, click **Submit**, and then click **Done**.

+ :::image type="content" source="../../media/admin-submission-url-allow.png" alt-text="Submit a false positive (good) URL to Microsoft for analysis on the Submissions page in the Defender portal." lightbox="../../media/admin-submission-url-allow.png":::

+After a few moments, an allow entry will appear on the **URL** tab on the **Tenant Allow/Block List** page. For more information about the Tenant Allow/Block List, see [Manage your allows and blocks in the Tenant Allow/Block List](manage-tenant-allow-block-list.md).

+> [!NOTE]

+>

+> - When the URL is detected again, it's not sent for [Safe Links](safe-links.md) detonation or URL reputation checks, and all other URL-based filters are skipped.

+> - During mail flow, if messages containing the URL pass other non-URL checks in the filtering stack, the messages will be delivered.

+When you use the Submissions portal at <https://security.microsoft.com/reportsubmission> to report email messages as **Should have been blocked (False negative)**, you can select **Block all emails from this recipient** to add a block entry for the sender on the **Domains & addresses** tab in the Tenant Allow/Block List.

+You can't create allow entries for domains and email addresses directly in the Tenant Allow/Block List. Instead, you use the Submissions portal at <https://security.microsoft.com/reportsubmission> to report the message as a false positive, which also adds an allow entry for the sender on the **Domains & addresses** tab in the Tenant Allow/Block List.

+For instructions, see [Report good email to Microsoft](admin-submission.md#report-good-email-to-microsoft).

+When you modify allow or block entries for domains and email addresses in the Tenant Allow/Block list, you can only modify the expiration date and notes.

+Submitting messages that were blocked by [spoof intelligence](learn-about-spoof-intelligence.md) to Microsoft in the **Submissions** portal at <https://security.microsoft.com/reportsubmission> adds the sender as an allow entry for the sender on the **Spoofed senders** tab in Tenant Allow/Block List.

+For instructions, see [Report good email to Microsoft](admin-submission.md#report-good-email-to-microsoft).

+When you use the Submissions portal at <https://security.microsoft.com/reportsubmission> to report files as **Should have been blocked (False negative)**, you can select **Block this file** to add a block entry on the **Files** tab in the Tenant Allow/Block List.

+This example adds a block entry for the specified files that never expires.

+You can't create allow entries for files directly in the Tenant Allow/Block List. Instead, you use the Submissions portal at <https://security.microsoft.com/reportsubmission> to report the message attachment as a false positive, which also adds an allow entry on the **Files** tab in the Tenant Allow/Block List.

+For instructions, see [Report good email attachments to Microsoft](admin-submission.md#report-good-email-attachments-to-microsoft).

+When you modify allow or block entries for files in the Tenant Allow/Block list, you can only modify the expiration date and notes.

+When you use the Submissions portal at <https://security.microsoft.com/reportsubmission> to report URLs as **Should have been blocked (False negative)**, you can select **Block this URL** to add a block entry on the **URLs** tab in the Tenant Allow/Block List.

+This example adds a block entry for the URL contoso.com and all subdomains (for example, contoso.com and xyz.abc.contoso.com). Because we didn't use the ExpirationDate or NoExpiration parameters, the entry expires after 30 days.

+You can't create URL allow entries directly in the Tenant Allow/Block List. Instead, you use the Submissions portal at <https://security.microsoft.com/reportsubmission> to report the URL as a false positive, which also adds an allow entry on the **URLs** tab in the Tenant Allow/Block List.

+For instructions, see [Report good URLs to Microsoft](admin-submission.md#report-good-urls-to-microsoft).

+When you modify allow or block entries for URLs in the Tenant Allow/Block list, you can only modify the expiration date and notes.

+This example changes the expiration date of the block entry for the specified URL.

+This example removes the block entry for the specified URL from the Tenant Allow/Block List.

+ |**Replace**|**Note**: This action will be deprecated. For more information, see [MC424901](https://admin.microsoft.com/AdminPortal/Home#/MessageCenter/:/messages/MC424901). <br/><br/> Removes detected malware attachments. <br/><br/> Notifies recipients that attachments have been removed. <br/><br/> Messages that contain malicious attachments are quarantined. By default, only admins (not users) can review, release, or delete the messages.^\* <br/><br/> Delivery of safe messages might be delayed due to Safe Attachments scanning.|Raise visibility to recipients that attachments were removed because of detected malware.|

+ > [!NOTE]

+ > Redirection will soon be available only for the **Monitor** action. For more information, see [MC424899](https://admin.microsoft.com/AdminPortal/Home?#/MessageCenter/:/messages/MC424899).

+ - **Replace**: This action will be deprecated. For more information, see [MC424901](https://admin.microsoft.com/AdminPortal/Home#/MessageCenter/:/messages/MC424901).

+ > [!NOTE]

+ > Redirection will soon be available only for the **Monitor** action. For more information, see [MC424899](https://admin.microsoft.com/AdminPortal/Home?#/MessageCenter/:/messages/MC424899).

+After you've initiated the trial and completed the [setup process](try-microsoft-defender-for-office-365.md#set-up-an-evaluation-or-trial-in-blocking-mode), it may take up to 2 hours for changes to take effect.

+After you've completed the [setup process](try-microsoft-defender-for-office-365.md#set-up-an-evaluation-or-trial-in-audit-mode), it may take up to 2 hours for changes to take effect. We've automatically configured Preset Evaluation policies in your environment.

+- The [Evaluation dashboard](try-microsoft-defender-for-office-365.md#reports-for-audit-mode-only) provides an easy view of the threats detected by Defender for Office 365 during evaluation.

+keywords: Try, Evaluate, Trial, Evaluation, Defender for Office 365

+As an existing Microsoft 365 customer, the **Trials** and **Evaluation** pages in the Microsoft 365 Defender portal at <https://security.microsoft.com> allow you to try the features of Microsoft Defender for Office 365 Plan 2 before you buy.

+Before you try Defender for Office 365 Plan 2, there are some key questions that you need to ask yourself:

+- Do I want to passively observe what Defender for Office 365 Plan 2 can do for me (*audit*), or do I want Defender for Office 365 Plan 2 to take direct action on issues that it finds (*block*)?

+- Either way, how can I tell what Defender for Office 365 Plan 2 is doing for me?

+- How long do I have before I need to make the decision to keep Defender for Office 365 Plan 2?

+This article will help you answer those questions so you can try Defender for Office 365 Plan 2 in a way that best meets the needs of your organization.

+For a companion guide for how to use your trial, see [Trial playbook: Microsoft Defender for Office 365](trial-playbook-defender-for-office-365.md).

+## Overview of Defender for Office 365

+Defender for Office 365 helps organizations secure their enterprise by offering a comprehensive slate of capabilities. For more information, see [Microsoft Defender for Office 365](defender-for-office-365.md).

+You can also learn more about Defender for Office 365 at this [interactive guide](https://aka.ms/MS365D.InteractiveGuide).

+

+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RWMmIe]

+## How trials and evaluations work for Defender for Office 365

+### Policies

+Defender for Office 365 includes the features of Exchange Online Protection (EOP), which are present in all Microsoft 365 organizations with Exchange Online mailboxes, and features that are exclusive to Defender for Office 365.

+The protection features of EOP and Defender for Office 365 are implemented using policies. **Policies that are exclusive to Defender for Office 365 are created for you as needed**:

+- [Impersonation protection in anti-phishing policies](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)

+- [Safe Attachments for email messages](safe-attachments.md)

+- [Safe Links for email messages and Microsoft Teams](safe-links.md)

+ - Safe Links detonates URLs during mail flow. To prevent specific URLs from being detonated, use allow entries for URLs in the Tenant Allow/Block List. For more information, see [Manage the Tenant Allow/Block List](manage-tenant-allow-block-list.md).

+ - Safe Links doesn't wrap URL links in email message bodies.

+Your eligibility for an evaluation or trial means you already have EOP. **No new or special EOP policies are created for your evaluation or trial of Defender for Office 365 Plan 2**. Existing EOP policies in your Microsoft 365 organization are able to act on messages (for example, send messages to the Junk Email folder or to quarantine):

+- [Anti-malware policies](anti-malware-protection.md)

+- [Inbound anti-spam protection](anti-spam-protection.md)

+- [Anti-spoofing protection in anti-phishing policies](set-up-anti-phishing-policies.md#spoof-settings)

+The default policies for these EOP features are always on, apply to all recipients, and are always applied last after any custom policies.

+### Audit mode vs. blocking mode for Defender for Office 365

+Do you want your Defender for Office 365 experience to be active or passive? These are the two modes that you can select from:

+- **Audit mode**: Special *evaluation policies* are created for anti-phishing (which includes impersonation protection), Safe Attachments, and Safe Links. These evaluation policies are configured to *detect* threats only. Defender for Office 365 detects harmful messages for reporting, but the messages aren't acted upon (for example, detected messages aren't quarantined). The settings of these evaluation policies are described in the [Policies in audit mode](#policies-in-audit-mode) section later in this article.

+ Audit mode provides access to customized reports for threats detected by Defender for Office 365 on the **Evaluation mode** page at<https://security.microsoft.com/atpEvaluation>.

+- **Blocking mode**: The Standard template for [preset security policies](preset-security-policies.md) is turned on and used for the trial, and the users you specify to include in the trial are added to the Standard preset security policy. Defender for Office 365 *detects* and *takes action on* harmful messages (for example, detected messages are quarantined).

+ The default and recommended selection is to scope these Defender for Office 365 policies to all users in the organization. But during or after the setup of your trial, you can change the policy assignment to specific users, groups, or email domains in the Microsoft 365 Defender portal or in [Exchange Online PowerShell](#policy-settings-associated-with-defender-for-office-365-trials).

+ Blocking mode does not provide customized reports for threats detected by Defender for Office 365. Instead, the information is available in the regular reports and investigation features of Defender for Office 365 Plan 2.

+A key factor in audit mode vs. blocking mode is how email is delivered to your Microsoft 365 organization:

+- Mail from the internet flows directly Microsoft 365, but your current subscription has only [Exchange Online Protection (EOP)](exchange-online-protection-overview.md) or [Defender for Office 365 Plan 1](overview.md#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet).

+ 

+ In these environments, you can select **audit mode** or **blocking mode**.

+- You're currently using a third-party service or device for email protection of your Microsoft 365 mailboxes. Mail from the internet flows through the protection service before delivery into your Microsoft 365 organization. Microsoft 365 protection is as low as possible (it's never completely off; for example, malware protection is always enforced).

+ 

+ In these environments, you can select **audit mode** only. You don't need to change your mail flow (MX records).

+### Evaluation vs. trial for Defender for Office 365

+What's the difference between an evaluation and a trial of Defender for Office 365 Plan 2? Aren't they the same thing? Well, yes and no. Here's what you need to know:

+- If you don't already have Defender for Office 365 Plan 2 licenses (for example, standalone EOP, Microsoft 365 E3, Microsoft 365 Business Premium, or Defender for Office 365 Plan 1), you can start your trial from the **Microsoft 365 trials** page at <https://security.microsoft.com/trialHorizontalHub> or the **Evaluation mode** page at <https://security.microsoft.com/atpEvaluation> in the Microsoft 365 Defender portal. At either location, you can select **allow mode** (Standard preset security policy) or **blocking mode** (evaluation policies) as previously described.

+ Regardless of which location you use, we'll automatically provision the required Defender for Office 365 Plan 2 trial licenses for you when you enroll. Manual or outside steps for getting and assigning Plan 2 licenses in the Microsoft 365 admin center are no longer required. The trial licenses are good for 90 days:

+ - For organizations without Defender for Office 365 (for example, standalone EOP or Microsoft 365 E3) the features (in particular, the policies) of Defender for Office 365 are available to you during the trial period.

+ - Organizations with Defender for Office 365 Plan 1 (for example Microsoft 365 Business Premium or add-on subscriptions) have exactly the same policies as organizations with Defender for Office 365 Plan 2 (impersonation protection in anti-phishing policies, Safe Attachments policies, and Safe Links policies). The security policies from **allow mode** (Standard preset security policy) or **blocking mode** (evaluation policies) don't expire or stop working after 90 days. What ends after 90 days for these organizations are the [automation, investigation, remediation, and education capabilities](defender-for-office-365.md#microsoft-defender-for-office-365-plan-1-and-plan-2) of Plan 2 that aren't present in Plan 1.

+- If you already have Defender for Office 365 Plan 2 (for example, as part of a Microsoft 365 E5 subscription), you'll never see **Defender for Office 365** on the **Microsoft 365 trials** page at <https://security.microsoft.com/trialHorizontalHub>. Instead, you start your evaluation of Defender for Office 365 Plan to on the **Evaluation mode** page at <https://security.microsoft.com/atpEvaluation> in **allow mode** (Standard preset security policy) or **blocking mode** (evaluation policies).

+ By definition, these organizations don't require trial licenses of Defender for Office 365 Plan 2, so their evaluations are unlimited in duration.

+The information from the previous list is summarized in the following table:

+|Organization|Available modes|Enroll from the<br/>Evaluation page?|Enroll from the<br/>Trials page?|Evaluation<br/>period|

+|||::|::||

+|Standalone EOP<br/>(no Exchange Online mailboxes) <br/><br/> Microsoft 365 E3|Audit mode <br/> Blocking mode|Yes|Yes|90 days|

+|Defender for Office 365 Plan 1 <br/><br/> Microsoft 365 Business Premium|Audit mode <br/> Blocking mode|Yes|Yes|Unlimited^\*|

+|Microsoft 365 E5|Audit mode <br/> Blocking mode|Yes|No|Unlimited|

+^\* The security policies from **allow mode** (Standard preset security policy) or **blocking mode** (evaluation policies) don't expire or stop working after 90 days. Only the [automation, investigation, remediation, and education capabilities](defender-for-office-365.md#microsoft-defender-for-office-365-plan-1-and-plan-2) that are exclusive to Defender for Office 365 Plan 2 stop working after 90 days.

+## Set up an evaluation or trial in audit mode

+Remember, when you evaluate Defender for Office 365 in audit mode, special evaluation policies are created so Defender for Office 365 can detect threats. The settings of these evaluation policies are described in the [Policies in audit mode](#policies-in-audit-mode) section later in this article.

+1. Start the evaluation in any of the available locations in the Microsoft 365 Defender portal at <https://security.microsoft.com>. For example:

+ - On the banner at the top of any Defender for Office 365 feature page, click **Start free trial**.

+ - On the **Microsoft 365 trials** page at <https://security.microsoft.com/trialHorizontalHub>, find and select **Defender for Office 365**.

+ - On the **Evaluation mode** page at <https://security.microsoft.com/atpEvaluation>, click **Start evaluation**.

+ > You can change these selections after you finish setting up the trial as described in the [Manage your trial](#manage-your-evaluation-or-trial-of-defender-for-office-365) section.

+ >

+ > Multiple different types of conditions or exceptions are not additive; they're inclusive. The evaluation or trial is applied *only* to those recipients that match *all* of the specified recipient filters. For example, you configure a condition with the following values:

+ >

+ > - **Users**: romain@contoso.com

+ > - **Groups**: Executives

+ >

+ > The evaluation or trial is applied to romain@contoso.com *only* if he's also a member of the Executives group. If he's not a member of the group, then the evaluation or trial is not applied to him.

+ >

+ > Likewise, if you use the same recipient filter as an exception, the evaluation or trial is not applied to romain@contoso.com *only* if he's also a member of the Executives group. If he's not a member of the group, then the evaluation or trial still applies to him.

+ When a third-party service or device sits in front of email flowing into Microsoft 365, Enhanced Filtering for Connectors correctly identifies the source of internet messages and greatly improves the accuracy of the Microsoft filtering stack (especially [spoof intelligence](anti-spoofing-protection.md), as well as post-breach capabilities in [Threat Explorer](threat-explorer.md) and [Automated Investigation & Response (AIR)](automated-investigation-response-office.md).

+ - **Share data with Microsoft**: This option isn't selected by default, but you can select the check box if you like.

+## Set up an evaluation or trial in blocking mode

+Remember, when you try Defender for Office 365 in blocking mode, the Standard preset security is turned on and the specified users (some or everyone) are included in the Standard preset security policy. For more information about the Standard preset security policy, see [Preset security policies](preset-security-policies.md).

+1. Start the trial in any of the available locations in the Microsoft 365 Defender portal at <https://security.microsoft.com>. For example:

+ - On the banner at the top of any Defender for Office 365 feature page, click **Start free trial**.

+ - On the **Microsoft 365 trials** page at <https://security.microsoft.com/trialHorizontalHub>, find and select **Defender for Office 365**.

+ - On the **Evaluation mode** page at <https://security.microsoft.com/atpEvaluation>, click **Start evaluation**.

+ - **Select users**: If you select this option, you need to select the internal recipients that the trial applies to:

+ > You can change these selections after you finish setting up the trial as described in the [Manage your trial](#manage-your-evaluation-or-trial-of-defender-for-office-365) section.

+ >

+ > Multiple different types of conditions or exceptions are not additive; they're inclusive. The evaluation or trial is applied *only* to those recipients that match *all* of the specified recipient filters. For example, you configure a condition with the following values:

+ >

+ > - **Users**: romain@contoso.com

+ > - **Groups**: Executives

+ >

+ > The evaluation or trial is applied to romain@contoso.com *only* if he's also a member of the Executives group. If he's not a member of the group, then the evaluation or trial is not applied to him.

+ >

+ > Likewise, if you use the same recipient filter as an exception, the evaluation or trial is not applied to romain@contoso.com *only* if he's also a member of the Executives group. If he's not a member of the group, then the evaluation or trial still applies to him.

+## Manage your evaluation or trial of Defender for Office 365

+After you set up your evaluation or trial in audit mode or blocking mode, the **Evaluation mode** page at <https://security.microsoft.com/atpEvaluation> is your central location for information about trying Defender for Office 365 Plan 2.

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> select **Evaluation mode** in the **Others** section. Or, to go directly to the **Microsoft Defender for Office 365 evaluation** page, use <https://security.microsoft.com/atpEvaluation>.

+2. On the **Microsoft Defender for Office 365 evaluation** page, you can do the following tasks:

+ - Click **Buy a paid subscription** to buy Defender for Office 365 Plan 2.

+ - Click **Manage**. In the **Microsoft Defender for Office 365 evaluation** flyout that appears, you can do the following tasks:

+ - Change who the evaluation or trial applies to as described earlier in the [Set up an evaluation or trial in audit mode](#set-up-an-evaluation-or-trial-in-audit-mode) and [Set up an evaluation or trial in blocking mode](#set-up-an-evaluation-or-trial-in-blocking-mode).

+ - To switch from **audit mode** (evaluation policies) to blocking mode (Standard preset security policy), click **Convert to standard protection**, and then click **Continue** in the dialog that appears to be taken to the **Apply standard protection** wizard on the **Preset security policies** page. The existing included and excluded recipients are copied over. For more information, see [Use the Microsoft 365 Defender portal to assign Standard and Strict preset security policies to users](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users).

+ **Notes**:

+ - The policies in the Standard preset security policy have a higher priority than the evaluation policies, which means the policies in the Standard preset security are always applied *before* the evaluation policies, even if both are present and turned on. To turn off the evaluation policies, use the **Turn off** button.

+ - There's no automatic way to go from **blocking mode** to **audit mode**. The manual steps are:

+ 1. Turn off the Standard preset security policy on the **Preset security policies** page.

+ 2. After clicking **Manage** on the **Microsoft Defender for Office 365 evaluation** page, verify the presence of the **Turn off** button, which indicates the evaluation policies are turned on. If you see the **Turn on** button, click it to turn on the evaluation policies.

+ 3. Verify the users that the evaluation applies to.

+ - To turn off the evaluation policies, click **Turn off**. To turn them back on, click **Turn on**.

+ When you're finished in the flyout, click **Save**.

+## Reports for your evaluation or trial of Defender for Office 365

+In **audit mode** or **blocking mode**, the following reports show detections by Defender for Office 365:

+- The [Mailflow view for the Mailflow status report](view-email-security-reports.md#mailflow-view-for-the-mailflow-status-report):

+ - Messages detected as user impersonation or domain impersonation by anti-phishing policies appear in **Impersonation block**.

+ - Messages detected during file or URL detonation by Safe Attachments policies or Safe Links policies appear in **Detonation block**.

+- The [Threat protection status report](view-email-security-reports.md#threat-protection-status-report):

+ - [View data by Overview](view-email-security-reports.md#view-data-by-overview):

+ You can filter most views by the **Protected by** value **MDO** to see the effects of Defender for Office 365.

+ - Messages detected by [campaigns](campaigns.md) appear in **Campaign**.

+ - Messages detected by Safe Attachments appear in **File detonation** and **File detonation reputation**.

+ - Messages detected by user impersonation protection in anti-phishing policies appear in **Impersonation domain**, **Impersonation user**, and **Mailbox intelligence impersonation**.

+ - Messages detected by Safe Links appear in **URL detonation** and **URL detonation reputation**.

+ - [View data by Email \> Malware and Chart breakdown by Detection Technology](view-email-security-reports.md#view-data-by-email--malware-and-chart-breakdown-by-detection-technology)

+ - Messages detected by [campaigns](campaigns.md) appear in **Campaign**.

+ - Messages detected by Safe Attachments appear in **File detonation** and **File detonation reputation**.

+ - Messages detected by Safe Links appear in **URL detonation** and **URL detonation reputation**.

+ - [View data by Email \> Spam and Chart breakdown by Detection Technology](view-email-security-reports.md#view-data-by-email--spam-and-chart-breakdown-by-detection-technology)

+ Messages detected by Safe Links appear in **URL malicious reputation**.

+ - [Chart breakdown by Policy type](view-email-security-reports.md#chart-breakdown-by-policy-type)

+ Messages detected by Safe Attachments appear in **Safe Attachments**

+ - [View data by Content \> Malware](view-email-security-reports.md#view-data-by-content--malware)

+ Malicious files detected by [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](turn-on-mdo-for-spo-odb-and-teams.md) appear in **MDO detonation**.

+ - The [Top senders and recipients report](view-email-security-reports.md#top-senders-and-recipients-report)

+ **Show data for Top malware recipients (MDO)** and **Show data for Top phish recipients (MDO)**.

+ - The [URL protection report](view-reports-for-mdo.md#url-protection-report)

+### Reports for audit mode only

+In [Threat Explorer](threat-explorer.md), messages that were detected by the Defender for Office 365 evaluation show the following banner in the details of the entry:

+ 

+- Impersonation protection in anti-phishing policies

+The following permissions are required in **Azure AD** to set up an evaluation or trial of Defender for Microsoft 365:

+- **Create, modify or delete an evaluation or trial**: Security Administrator or Global Administrator.

+- **View evaluation policies and reports in audit mode**: Security Administrator or Security Reader.

+## Frequently asked questions

+### Q: Do I need to manually get or activate trial licenses?

+A: No. The trial automatically provisions Defender for Office 365 Plan 2 licenses if you need them as previously described.

+### Q: How do I extend the trial?

+A: See [Extend your trial](/microsoft-365/commerce/try-or-buy-microsoft-365#extend-your-trial).

+### Q: What happens to my data after the trial expires?

+A: After your trial expires, you'll have access to your trial data (data from features in Defender for Office 365 that you didn't have previously) for 30 days. After this 30 day period, all policies and data that were associated with the Defender for Office 365 trial will be deleted.

+### Q: How many times can I use the Defender for Office 365 trial in my organization?

+A: A maximum of 2 times. If your first trial expires, you need to wait at least 30 days after the expiration date before you can enroll in the Defender for Office 365 trial again. After your second trial, you can't enroll in another trial.

+### Q: In audit mode, are there scenarios where Defender for Office 365 will act on messages?

+A: Yes. No one in any program or SKU can turn off or bypass taking action on messages that are classified as malware or high confidence phishing by the service.

+In audit mode, [anti-spoofing protection in EOP](set-up-anti-phishing-policies.md#spoof-settings) also takes action on messages. To prevent anti-spoofing protection from acting on messages, create an Exchange mail flow rule (also known as a transport rule) where inbound email bypasses all types of filtering that can be bypassed (including anti-spoofing protection). For instructions, see [Use mail flow rules to set the spam confidence level (SCL) in messages in Exchange Online](/exchange/security-and-compliance/mail-flow-rules/use-rules-to-set-scl).

+### Q: In what order are policies evaluated?

+A: See [Order of precedence for preset security policies and other policies](preset-security-policies.md#order-of-precedence-for-preset-security-policies-and-other-policies).

+## Reference

+### Policy settings associated with Defender for Office 365 trials

+#### Policies in audit mode

+> [!WARNING]

+> Do not attempt to create, modify, or remove the individual security policies that are associated with the evaluation of Defender for Office 365. The only supported method for creating the individual security policies for the evaluation is to start the evaluation or trial in audit mode in the Microsoft 365 Defender portal for the first time.

+[As previously described](#audit-mode-vs-blocking-mode-for-defender-for-office-365), when you choose audit mode for your evaluation or trial, evaluation policies with the required settings to observe but not take action on messages are automatically created.

+To see these policies and their settings, run the following command in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell):

+```powershell

+Write-Output -InputObject ("`r`n"*3),"Evaluation anti-phishing policy",("-"*79);Get-AntiPhishPolicy | Where-Object -Property RecommendedPolicyType -eq -Value "Evaluation"; Write-Output -InputObject ("`r`n"*3),"Evaluation Safe Attachments policy",("-"*79);Get-SafeAttachmentPolicy | Where-Object -Property RecommendedPolicyType -eq -Value "Evaluation"; Write-Output -InputObject ("`r`n"*3),"Evaluation Safe Links policy",("-"*79);Get-SafeLinksPolicy | Where-Object -Property RecommendedPolicyType -eq -Value "Evaluation"

+```

+The settings are also described in the following tables.

+##### Anti-phishing evaluation policy settings

+|Name|Evaluation Policy|

+|ExcludedDomains|{}|

+|ExcludedSenders|{}|

+|PolicyTag|blank|

+|TargetedDomainsToProtect|{}|

+##### Safe Attachments evaluation policy settings

+|Name|Evaluation Policy|

+|RedirectAddress|blank|

+##### Safe Links evaluation policy settings

+|Name|Evaluation Policy|

+|AllowClickThrough|True|

+|EnableSafeLinksForEmail|True|

+|EnableSafeLinksForOffice|False|

+|EnableSafeLinksForTeams|False|

+##### Use PowerShell to configure recipient conditions and exceptions to the evaluation in audit mode

+A rule that's associated with the Defender for Office 365 evaluation policies controls the recipient conditions and exceptions to the evaluation.

+To view the rule that's associated with the evaluation, run the following command in Exchange Online PowerShell:

+```powershell

+Get-ATPEvaluationRule

+```

+To use Exchange Online PowerShell to modify who the evaluation applies to, use the following syntax:

+```powershell

+Set-ATPEvaluationRule -Identity "Evaluation Rule" -SentTo <"user1","user2",... | $null> -ExceptIfSentTo <"user1","user2",... | $null> -SentToMemberOf <"group1","group2",... | $null> -ExceptIfSentToMemberOf <"group1","group2",... | $null> -RecipientDomainIs <"domain1","domain2",... | $null> -ExceptIfRecipientDomainIs <"domain1","domain2",... | $null>

+```

+This example configures exceptions from the evaluation for the specified security operations (SecOps) mailboxes.

+```powershell

+Set-ATPEvaluationRule -Identity "Evaluation Rule" -ExceptIfSentTo "SecOps1","SecOps2"

+```

+##### Use PowerShell to turn on or turn off the evaluation in audit mode

+To turn on or turn off the evaluation in audit mode, you enable or disable the rule that's associated with the evaluation. The State property value of the evaluation rule shows whether the rule is Enabled or Disabled.

+Run the following command to determine whether the evaluation is currently enabled or disabled:

+```powershell

+Get-ATPEvaluationRule -Identity "Evaluation Rule" | Format-Table Name,State

+```

+Run the following command to turn off the evaluation if it's turned on:

+```powershell

+Disable-ATPEvaluationRule -Identity "Evaluation Rule"

+```

+Run the following command to turn on the evaluation if it's turned off:

+```powershell

+Enable-ATPEvaluationRule -Identity "Evaluation Rule"

+```

+#### Policies and rules in block mode

+[As previously described](#audit-mode-vs-blocking-mode-for-defender-for-office-365), when you choose blocking mode for your trial, policies are created using the Standard template for [preset security policies](preset-security-policies.md).

+To use Exchange Online PowerShell to view the individual security policies that are associated with the Standard preset security policy, and to use Exchange Online PowerShell to view and configure the recipient conditions and exceptions for the preset security policy, see [Preset security policies in Exchange Online PowerShell](preset-security-policies.md#preset-security-policies-in-exchange-online-powershell).

+> [!NOTE]

+>If a Whiteboard is stored in OneDrive and already attached to a meeting, it cannot be initiated on a Surface Hub or Microsoft Teams Rooms device. An authenticated user on another device will need to do so. We plan to enable this functionality in a future release.