+|Require a password|Yes|No|No|

+|Block cloud backup¹|Yes|No|No|

+|Block document synchronization¹|Yes|No|No|

+¹To function, these settings require supervised iOS devices.

+|Block video conferences on device¹|Yes|No|No|

+|Block access to application store¹|Yes|No|Yes|

+¹To function, these settings require supervised iOS devices.

+|Block connection with removable storage|No|No|Yes|

+|Block Bluetooth connection|No|No|Yes|

+ 

+ 1. **Exchange mailboxes**: Set the toggle to **On** and then click **Choose users, groups, or teams** to specify the mailboxes to search. Use the search box to find user mailboxes and distribution groups. You can also search the mailbox associated with a Microsoft Team (for channel messages), Office 365 Group, and Yammer Group. For more information about the application data stored in mailboxes, see [Content stored in mailboxes for eDiscovery](what-is-stored-in-exo-mailbox.md).

+ 2. **SharePoint sites**: Set the toggle to **On** and then click **Choose sites** to specify SharePoint sites and OneDrive accounts to search. Type the URL for each site that you want to search. You can also add the URL for the SharePoint site for a Microsoft Team, Office 365 Group, or Yammer Group.

+ 3. **Exchange public folders**: Set the toggle to **On** to search public folders in your Exchange Online organization. You can't choose specific public folders to search. Leave the toggle switch off if you don't want search public folders.

+MTA-STS allows a domain to declare support for TLS and communicate the MX record and destination certificate to expect. It also indicates what a sending server must do if there's a problem. This communication is done through a combination of a DNS TXT record and a policy file that's published as an HTTPS webpage. The HTTPS-protected policy introduces another security protection that attackers must overcome.

+These policies aren't something that Exchange Online can host on behalf of customers, so customers must configure their domain's STS policy using the services they prefer. Azure services can be easily used for policy hosting and there's a configuration walk-through later in this article. The policy needs to be protected by HTTPS with a certificate for the subdomain `mta-sts.<domain name>`.

+Once the DNS TXT record is created and the policy file is available at the required HTTPS URL, the domain will be protected by MTA-STS. Details about MTA-STS are available in [RFC 8461](https://datatracker.ietf.org/doc/html/rfc8461).

+### Configuring Inbound MTA-STS with Azure Services

+> [!NOTE]

+> These configuration flows were developed to help Microsoft Exchange Online customers host their MTA-STS policy using Azure resources. This configuration flow assumes that you're an Exchange Online customer who is aware of how MTA-STS works and its requirements. For more information about the protocol beyond this topic, see [RFC8461](https://www.rfc-editor.org/rfc/rfc8461.html).

+There are two Azure resources that can be used to host the MTA-STS policy: [Azure Static Web App](https://azure.microsoft.com/services/app-service/static/) and [Azure Functions](/azure/azure-functions/functions-overview). Although this article describes how to deploy the policy using both the resources, the recommended method is [Azure Static Web App](https://azure.microsoft.com/services/app-service/static/) as itΓÇÖs designed for hosting static pages such as the STS policy, and Azure simplifies the configuration by providing a TLS certificate for the MTA-STS webpage out of the box, without requiring more configuration. If you aren't able to use [Azure Static Web App](https://azure.microsoft.com/services/app-service/static/), you can also host your policy as serverless code using [Azure Functions](/azure/azure-functions/functions-overview). This approach isn't the preferred method because Azure Function is a feature designed for other scenarios and it doesnΓÇÖt issue a TLS certificate automatically, unlike Azure Static Web Apps. So using [Azure Functions](/azure/azure-functions/functions-overview) for MTA-STS requires that you issue your own ΓÇ£mta-sts.[your domain]ΓÇ¥ certificate and bind it to the function.

+Regardless of which approach you've taken, we encourage you to validate that your policy is properly configured and the response time is acceptable ΓÇô timeout per RFC guidance is 60 seconds.

+These configuration flows are intended to provide only technical information about Azure features that can be used to host the MTA-STS policy and doesn't provide any information about Azure featuresΓÇÖ charging or costs. If you want to know Azure feature costs, use the Azure [Pricing Calculator](https://azure.microsoft.com/pricing/calculator/).

+#### Option 1 (RECOMMENDED): Azure Static Web App

+1. Create an Azure DevOps organization or use an organization that already exists. In this example, an organization called ΓÇ£ContosoCorporationΓÇ¥ will be used to host the MTA-STS policy.

+ :::image type="content" source="../media/projects-tab.png" alt-text="The screenshot that shows the projects tab." lightbox="../media/projects-tab.png":::

+2. In **Repos > Files**, clone your repository in any IDE that you prefer. In this example, the repo will be cloned in Visual Studio.

+ :::image type="content" source="../media/clone-to-vs-code.png" alt-text="The screenshot that shows an example of cloning to visual studio code." lightbox="../media/clone-to-vs-code.png":::

+3. Once the repo is cloned, create the following folder path: `home\.well-known\`. Then, create the following files:

+ - File 1: home\.well-known\mta-sts.txt

+ > [!NOTE]

+ > This configuration allows only Exchange Online to receive messages on behalf of your domain. If you're using multiple email providers, you need to reference MX hosts for those other providers' domains as well. Wildcards or ΓÇÿ*ΓÇÖ must not be used as the MX prefix in all MTA-STS scenarios; the settings below are specific to Exchange Online only and must NOT be used as general guidance for configuring MTA-STS.

+ 1. Input the following text into the mta-sts.txt file:

+ ```powershell

+ version: STSv1

+ mode: testing

+ mx: *.mail.protection.outlook.com

+ max_age: 604800

+ ```

+ > [!NOTE]

+ > It's recommended that the policy mode be initially set as ΓÇÿtestingΓÇÖ. Then, at the end of the configuration and after validating that the policy is working as expected, update the mta-sts.txt file such that the mode is ΓÇÿenforceΓÇÖ.

+

+ The file must only contain the content as shown in the following screenshot:

+ :::image type="content" source="../media/contents-of-file1.png" alt-text="The screenshot that displays the contents of File1." lightbox="../media/contents-of-file1.png":::

+ - File 2: home\https://docsupdatetracker.net/index.html

+

+ 1. Create an https://docsupdatetracker.net/index.html file and input the following code into it:

+

+ ```powershell

+ <!DOCTYPE html>

+ <html lang="en">

+ <head>

+ <meta charset="UTF-8">

+ <title>MTA-STS</title>

+ </head>

+ <body>

+ <h1>MTA-STS Static Website index</h1>

+ </body>

+ </html>

+ ```

+

+ The file must only contain the content as shown in the following screenshot:

+

+ :::image type="content" source="../media/contents-of-file2.png" alt-text="The screenshot that displays the contents of File2." lightbox="../media/contents-of-file2.png":::

+ Once the folder path and files are created, donΓÇÖt forget to commit the changes and push them into your main branch.

+4. Create a new Azure Static Web App with the following configuration:

+ - **Name**: MTA-STS-StaticWebApp

+ - **Plan type**: Standard

+ - **Deployment Details**: Azure DevOps

+ - **Organization**: ContosoCorporation

+ - **Project**: MTA-STS_Project

+ - **Repository**: MTA-STS_Project

+ - **Branch**: master

+ - **Build Presets**: Angular

+ - **App Location**: /home

+

+ :::image type="content" source="../media/new-app-with-details.png" alt-text="The screenshot that shows a newly created Azure Static Web App with its information." lightbox="../media/new-app-with-details.png":::

+5. Once the Static Web App creation is done and the resource is provisioned, go to **Overview > Manage deployment token**; then copy the token as it will be used in the next step.

+6. Go to **Pipelines > Create Pipeline > Azure Repos Git > MTA-STS_Project**, and perform the following subtasks:

+ 1. Go to **Variables > New Variable** and type the following:

+ 1. **Name**: token

+ 1. **Value**: (paste the token that you previously copied)

+ 1. Once the variable is saved, return to **Review your pipeline YAML** and paste the following yml, save and run.

+

+ ```powershell

+ trigger:

+ - main

+ pool:

+ vmImage: ubuntu-latest

+ steps:

+ - checkout: self

+ submodules: true

+ - task: AzureStaticWebApp@0

+ inputs:

+ app_location: '/home'

+ azure_static_web_apps_api_token: $(token)

+ ```

+ In Azure DevOps, during deployment, if you experience the error **No hosted parallelism has been purchased or granted**, either request through this [form](https://forms.office.com/pages/responsepage.aspx?id=v4j5cvGGr0GRqy180BHbR63mUWPlq7NEsFZhkyH8jChUMlM3QzdDMFZOMkVBWU5BWFM3SDI2QlRBSC4u) or implement a configuration through **Organization Settings > Parallel jobs > Microsoft Hosted > Change > Paid Parallel jobs** such that ΓÇ£Paid parallel jobsΓÇ¥ are allowed.

+7. Once the job finishes successfully, you can validate the deployment through the Azure portal by going to **Azure Static Web App > Environment > Browser**. You must see the https://docsupdatetracker.net/index.html file's content.

+8. Add your vanity domain in **Azure Static Web App > Custom domains > Add**. You'll be required to create a **CNAME** record through your DNS provider (for example, GoDaddy) to validate that the zone belongs to you. Once the validation is finished, Azure will issue a certificate and bind it to your Static Web App automatically.

+9. Validate that your MTA-STS policy is published through: https://mta-sts.[your domain]/.well-known/mta-sts.txt.

+10. Create the MTA-STS TXT DNS record through your DNS provider. The format is as follows:

+

+ ```powershell

+ Hostname: _mta-sts.<domain name>

+ TTL: 3600 (recommended)

+ Type: TXT

+ Text: v=STSv1; id=<ID unique for your domainΓÇÖs STS policy>Z;

+ ```

+ > [!NOTE]

+ > An example MTA-STS TXT record can be found in [How To Adopt MTA-STS](#how-to-adopt-mta-sts).

+11. Once the TXT record is available in DNS, validate your MTA-STS configuration. Once the configuration has been successfully validated, update the mta-sts.txt file so that the policy mode is ΓÇÿenforceΓÇÖ; then update your policy ID in the TXT record.

+#### Option 2: Azure Function

+1. Create a new Azure Function App with the following configuration:

+ - **Function App name**: [As your choice]

+ - **Publish**: Code

+ - **Runtime stack**: .NET

+ - **Version**: 6

+ - **Operating System**: Windows

+ - **Plan Type**: [As your choice]

+ :::image type="content" source="../media/new-azure-function-app.png" alt-text="The screenshot that shows the configurations of a new Azure Function app." lightbox="../media/new-azure-function-app.png":::

+2. Add your custom domain to the Function App. You'll be required to create a **CNAME** record to validate that the domain belongs to you.

+ :::image type="content" source="../media/custom-domain-to-add.png" alt-text="The screenshot that shows the custom domain to be added to the Function App." lightbox="../media/custom-domain-to-add.png":::

+3. Bind your mta-sts.[your domain] to the Function App.

+ :::image type="content" source="../media/binding-to-function-app.png" alt-text="The screenshot that shows the process of binding the domain to the Function App." lightbox="../media/binding-to-function-app.png":::

+4. In **App File**, add the following extension to the host.json of your Function App to eliminate the routePrefix. This addition is necessary to remove the /api from the function URL.

+

+ ```powershell

+ "extensions": {

+ "http": {

+ "routePrefix": ""

+ }

+ }

+ ```

+ :::image type="content" source="../media/extension-added-to-app-file.png" alt-text="The screenshot that shows the extension being added to the app file." lightbox="../media/extension-added-to-app-file.png":::

+5. In your Function App, go to **Functions > Create** and configure the following parameters:

+ > [!NOTE]

+ > Although this example describes the function development through the portal, you're free to use VS Code, or any other tool that you prefer.

+ - **Development environment**: [As your choice, this example will use ΓÇ£Develop in PortalΓÇ¥]

+ - **Select a template**: HTTP trigger

+ - **New Function**: [As your choice]

+ - **Authorization level**: Anonymous

+ :::image type="content" source="../media/create-function-screen.png" alt-text="The screenshot that shows the Create function page." lightbox="../media/create-function-screen.png":::

+6. Once the function is created, open **Code + Test** and develop in C# a simple async HTTP response that will be your MTA-STS policy. The following example indicates that Exchange Online is expected to receive emails:

+ > [!NOTE]

+ > It's recommended that the policy mode be initially set as ΓÇÿtestingΓÇÖ. Then, at the end of the configuration and after validating that the policy is working as expected, update the mta-sts.txt file such that the mode is ΓÇÿenforceΓÇÖ.

+ :::image type="content" source="../media/mta-sts-policy.png" alt-text="The screenshot that shows the mta-sts policy that's developed." lightbox="../media/mta-sts-policy.png":::

+7. In **Integration > HTTP (req)**, edit the trigger to the following values:

+ - **Route Template**: .well-known/mta-sts.txt

+ - **Selected HTTP methods**: GET

+ :::image type="content" source="../media/edit-trigger-screen.png" alt-text="The screenshot that shows the Edit trigger page." lightbox="../media/edit-trigger-screen.png":::

+8. Validate that your MTA-STS policy is published through: https://mta-sts.[your domain]/.well-known/mta-sts.txt.

+9. Create the MTA-STS TXT DNS record through your DNS provider in the following format:

+ ```powershell

+ Hostname: _mta-sts.<domain name>

+ TTL: 3600 (recommended)

+ Type: TXT

+ Text: v=STSv1; id=<ID unique for your domainΓÇÖs STS policy>Z;

+ ```

+ > [!NOTE]

+ > An example MTA-STS TXT record can be found in [How To Adopt MTA-STS](#how-to-adopt-mta-sts).

+10. Once the TXT record is available in DNS, validate your MTA-STS configuration. Once the configuration has been successfully validated, update the mta-sts.txt file such that the policy mode is ΓÇÿenforceΓÇÖ; then update your policy ID in the TXT record.

+The Microsoft Service Trust Portal provides a variety of content, tools, and other resources about how Microsoft cloud services protect your data, and how you can manage cloud data security and compliance for your organization.

+The Service Trust Portal is Microsoft's public site for publishing audit reports and other compliance-related information associated with MicrosoftΓÇÖs cloud services. STP users can download audit reports produced by external auditors and gain insight from Microsoft-authored whitepapers that provide details on how Microsoft cloud services protect your data, and how you can manage cloud data security and compliance for your organization. To access some of the resources on the Service Trust Portal, you must log in as an authenticated user with your Microsoft cloud services account (Azure Active Directory organization account) and review and accept the Microsoft Non-Disclosure Agreement for Compliance Materials.

+

+### Certifications, Regulations and Standards

+Provides a wealth of security implementation and design information with the goal of making it easier for you to meet regulatory compliance objectives by understanding how Microsoft Cloud services keep your data secure. To review content, select one of the following tiles.

+- **ISO/IEC** - International Organization for Standardization (ISO) / International Electrotechnical Commission (IEC)

+- **SOC** - System and Organization Controls (SOC) 1, 2, and 3 Reports

+- **GDPR** - General Data Protection Regulation

+- **FedRAMP** - Federal Risk and Authorization Management Program

+- **PCI** - Payment Card Industry (PCI) Data Security Standards (DSS)

+- **CSA Star** - Cloud Security Alliance (CSA) Security, Trust and Assurance Registry (STAR)

+- **Australia IRAP** - Australia Information Security Registered Assesors Program (IRAP)

+- **Singapore MTCS** - Multi-Tier Cloud Security (MTCS) Singapore Standard

+- **Spain ENS** - Spain Esquema Nacional de Seguridad (ENS)

+### Reports, Whitepapers, and Artifacts

+General documents relating to the following categories:

+- **BCP and DR** - Business Continuity and Disaster Recovery

+- **Pen Test and Security Assessments** - Attestation of Penetration tests and security assessments conducted by third parties

+- **Privacy and Data Protection** - Privacy and Data Protection Resources

+- **FAQ and Whitepapers** - Whitepapers and answers to frequently asked questions

+### Industry and Regional Resources

+Documents the apply to the following industries and regions:

+- **Financial Services** - Resources elaborating regulatory compliance guidance for FSI (by country)

+- **Healthcare and Life Sciences** - Capabilities offered by Microsoft for Healthcare Industry

+- **Media and Entertainment** - Media and Entertainment Industry Resources

+- **United States Government** - Resources exclusively for US Government customers

+- **Regional Resources** - Documents describing compliance of Microsoft's online services with various regional policies and regulations

+### Resources for your Organization

+Documents applying to your organization (restricted by tenant).

+- **Resources for your Organization** - Documents based on your organizationΓÇÖs subscription and permissions

+Resources with the series check mark indicate that the document has multiple versions, which can be viewed once you click on the document and click ΓÇ£view all versionsΓÇ¥ on the download page.

+Filter by date and cloud service - When viewing the available documents, you can filter the results by date range by selecting **Dates** and then selecting the range you want to use.

+Document download view - When viewing the available documents, you can filter the results by the applicable **Cloud Service**.

+> Many of the files on the STP require acceptance of a license agreement. Some browser-based PDF viewers do not allow Javascript to run, which prevents the license agreement from being displayed and the file from opening.

+### All Documents

+This section displays all available documents. Select the documents to save into your My Library section. Documents are sorted under the same categories shown under Certifications, Standards, Regulations, and Industry Resources. To view all resources for a particular cloud service use the **Cloud Service** filter.

+### Search

+Click the magnifying glass in the upper right-hand corner of the Service Trust Portal page to expand the box, enter your search terms, and press **Enter**. The **Search** page is displayed, with the search term displayed in the search box and the search results listed below.

+By default, the search returns document results. You can filter the results by using the dropdown lists to refine the list of documents displayed. You can use multiple filters to narrow the list of documents. Filters include the specific cloud services, and regions. Click the document name link to download the document.

+> [!NOTE]

+> Service Trust Portal reports and documents are available to download for at least 12 months after publishing or until a new version of document becomes available.

+## My Library

+Use the My Library feature to add documents and resources on the Service Trust Portal to your My Library page. This lets you access documents that are relevant to you in a single place. To add a document to your My Library, click the elipsis (**...**) menu to the right of a document and then select **Save to library**. You can add multiple documents to your My Library by clicking the checkbox next to one or more documents, and then clicking **Save to library** at the top of the page.

+Additionally, the notifications feature lets you configure your My Library so that an email message is sent to you whenever Microsoft updates a document that you've added to your My Library. To set up notifications, go to your My Library and click **Notification Settings**. You can choose the frequency of notifications and specify an email address in your organization to send notifications to. Email notifications include links to the documents that have been updated and a brief description of the update.

+If a document is part of a series, you will be subscribed to the series and will receive notifications when there is an update to that series. You can view the individual documents and Series documents that you have subscribed to, in 2 sections as shown below:

+- If 50,000 results are found, you can probably assume that there are more than 50,000 events that met the search criteria. You can either refine the search criteria and rerun the search to return fewer results, or you can export the 50,000 search results by selecting **Export results** \> **Download all results**.

+To retain and delete emails, we recommend you use [Microsoft 365 retention policies and retention labels](retention.md) rather than the older messaging records management (MRM) from Exchange Online. However, a valid reason to still use this older feature is to automatically move emails from a user's primary mailbox to their [archive mailbox](archive-mailboxes.md). You might also need to use MRM to apply retention and deletion settings to specific folders in the mailbox, rather than the entire mailbox.

+Use this article as an example deployment for these two valid reasons to use MRM retention policies and retention tags. For all other retention and deletion scenarios, use Microsoft 365 retention policies and retention labels.

+The configuration requires you to create an MRM retention policy that you then assign to mailboxes. This policy moves items to a user's archive mailbox after a specified period of time and also deletes items from the Deleted items folder after they reach a specific age limit.

+- Create two custom retention tags to do the following actions:

+

+ - Automatically move items that are 3 years old to the user's archive mailbox. Moving items to the archive mailbox frees up space in a user's primary mailbox.

+

+ - Automatically delete items that are 5 years old from the Deleted Items folder. This also frees up space in the user's primary mailbox. User's will have the opportunity to recover these items if necessary. See the footnote in the [More information](#more-information) section for more details.

+- Create a new retention policy and add the new custom retention tags to it. Additionally, you'll add a built-in retention tag that can't be achieved with a recommended Microsoft 365 retention label because it also moves items to the archive mailbox. It's a personal tag for archiving after 1 year that users can assign to items in their mailbox when they want a shorter archive period than their default of 3 years.

+In this step, you'll create the two custom retention tags that were previously described.

+The second retention tag to create is a custom retention policy tag (RPT) for the Deleted Items folder. This tag will delete items in the Deleted Items folder after 5 years, and provides a recovery period when users can use the Recover Deleted Items tool to recover an item.

+After you create the custom retention tags, the next step is to create a new retention policy and add the retention tags. You'll add the two custom retention tags that you created in Step 2, and the built-in tags that were mentioned in the first section. In Step 4, you'll assign this new retention policy to user mailboxes.

+5. Add the 3 retention tags that are described in more detail in the [More information](#more-information) section:

+ - **Personal 1 year move to archive** - a built-in tag that's preconfigured

+ |Alpine House Deleted Items 5 Years Delete and Allow Recovery <br/> |Deletes items from the Deleted Items folder that are 5 years old. Users can recover these items for up 14 days after they're deleted. See the next list entry for more information. <br/> |Custom (See [Step 2: Create new retention tags for the archive and deletion policies](#step-2-create-new-retention-tags-for-the-archive-and-deletion-policies)) <br/> |Retention Policy Tag (Deleted Items); this tag is automatically applied to items in the Deleted items folder. <br/> |

+

+

+- Users can use the Recover Deleted Items tool in Outlook and Outlook on the web (formerly known as Outlook Web App) to recover a deleted item within the deleted item retention period, which by default is 14 days in Exchange Online. An administrator can use Exchange Online PowerShell to increase the deleted item retention period to a maximum of 30 days. For more information, see: [Recover deleted items in Outlook for Windows](https://support.office.com/article/49e81f3c-c8f4-4426-a0b9-c0fd751d48ce) and [Change the deleted item retention period for a mailbox in Exchange Online](/exchange/recipients-in-exchange-online/manage-user-mailboxes/change-deleted-item-retention).

+> - You must pick one primary element but no more than ten primary elements. If you have a multi-token corroborative data field, you should map that to a base SIT as well. The more you can pick that have values that are unique in your actual sensitive data table, the better the accuracy of your EDM SIT will be. It will also improve performance and avoid timeouts caused by process overloading.

+ > At least one, but no more than ten of your schema fields must be designated as searchable.

+The **Devices with sensor issues** tile provides information on the individual device's ability to provide sensor data and communicate with the Defender for Endpoint service. It reports how many devices require attention and helps you identify problematic devices and take action to correct known issues.

+Managing your alerts and classifying true/false positives helps to train your threat protection solution and can reduce the number of false positives or false negatives over time. Taking these steps also helps reduce noise in your queue so that your security team can focus on higher priority work items.

+If you have alerts that are either false positives or that are true positives but for unimportant events, you can suppress those alerts in Microsoft 365 Defender. Suppressing alerts helps reduce noise in your queue.

+ To block a specific removable storage class but allow specific media, you can use ΓÇÿ`IncludedIdList` a group through `PrimaryId` and `ExcludedIDList` a group through `DeviceId`/`HardwareId`/etc.ΓÇÖ For additional details, see [Microsoft Defender for Endpoint Device Control Removable Storage Access Control](device-control-removable-storage-access-control.md).

+- Removable storage group allows you to create group. For example, authorized USB group or encrypted USB group.

+- Access policy rule allows you to create policy to restrict each removable storage group. For example, only allow authorized user to Write access-authorized USB group.

+- To block a specific removable storage class but allow specific media, you can use ΓÇÿ`IncludedIdList` a group through `PrimaryId` and `ExcludedIDList` a group through `DeviceId`\/`HardwareId`/etc.` For additional guidance, see [Deploy Removable Storage Access Control by using Intune OMA-URI](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri).

+| **SID** | Local user SID or user SID group or the SID of the AD object, defines whether to apply this policy over a specific user or user group. One entry can have a maximum of one SID and an entry without any SID means applying the policy over the machine. | |

+| **ComputerSID** | Local computer SID or computer SID group or the SID of the AD object, defines whether to apply this policy over a specific machine or machine group. One entry can have a maximum of one ComputerSID and an entry without any ComputerSID means applying the policy over the machine. If you want to apply an Entry to a specific user and specific machine, add both SID and ComputerSID into the same Entry. | |

+> [!NOTE]

+> To remove any additions you might have made before uninstalling `mdatp`, delete the custom file from `/etc/systemd/system`.

+- When upgrading from mdatp version 101.75.43, run the following commands before attempting to upgrade to version 101.80.97

+```

+sudo mdatp config real-time-protection --value=disabled

+sudo systemctl disable mdatp

+```

+You can promote or demote the rank of a device group so that it's given higher or lower priority during matching. A device group with a rank of 1 is the highest ranked group. When a device is matched to more than one group, it's added only to the highest ranked group. You can also edit and delete groups.

+Defender for Endpoint notifies you of possible malicious events, attributes, and contextual information through alerts. A summary of new alerts is displayed and you can access all alerts in the **Alerts queue**.

+Network protection expands the scope of Microsoft Defender [SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources. The blocks on outbound HTTP(s) traffic are based on the domain or hostname.

+1. Turn on the ΓÇ£networkProtectionΓÇ¥ feature, edit the ΓÇ£/etc/opt/microsoft/mdatp/wdavcfgΓÇ¥ and set **networkProtection** to **enabled**.

+The following table identified key concepts that are important to understand when evaluating, configuring, and deploying Defender for Office 365.

+|Exchange Online Protection|Exchange Online Protection (EOP) is the cloud-based filtering service that helps protect your organization against spam and malware in email. EOP is included in all Microsoft 365 licenses that include Exchange Online.|[Exchange Online Protection overview](../office-365-security/exchange-online-protection-overview.md)|

+|Anti-malware protection|Organizations with mailboxes in Exchange Online are automatically protected against malware.|[Anti-malware protection in EOP](../office-365-security/anti-malware-protection.md)|

+|Anti-spam protection|Organizations with mailboxes in Exchange Online are automatically protected against junk mail and spam.|[Anti-spam protection in EOP](../office-365-security/anti-spam-protection.md)|

+|Anti-phishing protection|Defender for Office 365 offers more advanced anti-phishing protection related to spear phishing, whaling, ransomware, and other malicious activities.|[Extra anti-phishing protection in Microsoft Defender for Office 365](../office-365-security/anti-phishing-protection.md)|

+|Safe Attachments|Safe Attachments provides an extra layer of protection by using a virtual environment to check and "detonate" attachments in email messages before they're delivered.|[Safe Attachments in Microsoft Defender for Office 365](../office-365-security/safe-attachments.md)|

+A successful Defender for Office 365 evaluation or production pilot assumes the following pre-requisites:

+When you evaluate Microsoft Defender for Office 365, you might choose to pilot specific users before enabling and enforcing policies for your entire organization. Creating distribution groups can help manage the deployment processes. For example, create groups such as *Defender for Office 365 Users - Standard Protection*, *Defender for Office 365 Users - Strict Protection*, *Defender for Office 365 Users - Custom Protection*, or *Defender for Office 365 Users - Exceptions*.

+It might not be evident why 'Standard' and 'Strict' are the terms used for these groups, but that will become clear when you explore more about Defender for Office 365 security presets. Naming groups 'custom' and 'exceptions' speak for themselves, and though most of your users should fall under *standard* and *strict*, custom and exception groups will collect valuable data for you regarding managing risk.

+1. Sign in to the Exchange Admin Center (EAC) at <https://admin.exchange.microsoft.com> using an account that has been granted Recipient Administrator role or been delegated group management permissions.

+2. Go to **Recipients** \> **Groups**.

+3. On the **Groups** page, select  **Add a group**.

+4. For group type, select **Distribution**, and then click **Next**.

+5. Give the group a **Name** and and optional **Description**, and then click Next.

+6. On the remaining pages, assign an owner, add members to the group, set the email address, join-depart restrictions, and other settings.

+Some capabilities in Defender for Office 365 are configured and turned on by default, but security operations might want to raise the level of protection from the default.

+Some capabilities are *not yet* configured. You have the following options for configuring protection:

+- **Assign users to preset security policies**: [Preset security policies](../office-365-security/preset-security-policies.md) are provided as a method to quickly assign a uniform level of protection across all of the capabilities. You can choose from **Standard** or **Strict** protection. The advantage here is that you protect groups of users as quickly as possible. This disadvantage here is that you can't customize most of the settings in preset security policies (for example, you can't change an action from **Deliver to recipients' Junk Email folders** to **Quarantine** or vice-versa). Also keep in mind that preset security policies are *always* applied before custom policies. So, if you want to create and use any custom policies, you'll need to exclude users in those custom policies from preset security policies.

+- **Configure *custom* protection policies**: If you prefer to configure the environment yourself, you can quickly achieve a *baseline* of protection by following the guidance in [Protect against threats](../office-365-security/protect-against-threats.md). With this approach, you get to learn more about the settings that are configurable. And, you can fine-tune the policies later.

+ You can also build and assign custom protection policies as part of your evaluation. Before you start customizing policies, it's important to understand the precedence in which these protection policies are applied and enforced. Security operations will need to create and/or configure some policies, even if when the preset is applied.

+We recommended you begin with the *recommended baseline policies* when evaluating MDO and then refine them as needed over the course of your evaluation period.

+You can enable preset security policies in EOP and Defender for Office 365 fast, and assign them to specific pilot users or defined groups as part of your evaluation. Preset policies offer a baseline **Standard** protection template or a more aggressive **Strict** protection template, which can be assigned independently.

+For example, an EOP condition for pilot evaluations could be applied if the recipients are *members* of a defined *EOP Standard Protection* group, and then managed by adding accounts to, or removing account from, the group.

+Likewise, a Defender for Office 365 condition for pilot evaluations could be applied if the recipients are *members* of a defined *Defender for Office 365 Standard Protection* group and then managed by adding / removing accounts via the group.

+For complete instructions, see [Use the Microsoft 365 Defender portal to assign Standard and Strict preset security policies to users](../office-365-security/preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users).

+It's *important* to be aware of the precedence these protection policies take when applied and enforced, as explained in [Order and precedence of email protection - Office 365](../office-365-security/how-policies-and-protections-are-combined.md) and [Order of precedence for preset security policies and other policies](../office-365-security/preset-security-policies.md#order-of-precedence-for-preset-security-policies-and-other-policies).

+|Policy|Description|Included in preset<br>security policies?|Default policy<br>available?|Reference|

+|||::|::||

+|Connection filter policies|Identify good or bad source email servers by IP address.|No|Yes|[Configure the default connection filter policy in EOP](../office-365-security/configure-the-connection-filter-policy.md)|

+|Outbound spam filter policies|Specify outbound message rate limits and control external email forwarding.|No|Yes|[Configure outbound spam filtering in EOP](../office-365-security/configure-the-outbound-spam-policy.md)|

+|Anti-malware policies|Protect users from email malware including what actions to take and who to notify if malware is detected.|Yes|Yes|[Configure anti-malware policies in EOP](../office-365-security/configure-anti-malware-policies.md)|

+|Anti-spam policies|Protect users from email spam including what actions to take if spam is detected.|Yes|Yes|[Configure anti-spam policies in Defender for Office 365](../office-365-security/configure-your-spam-filter-policies.md)|

+|Anti-spoofing protection|Protect users from spoofing attempts using spoof intelligence and spoof intelligence insights.|Yes|Yes|[Configure spoof intelligence in Defender for Office 365](../office-365-security/learn-about-spoof-intelligence.md) <br><br> [Configure anti-phishing policies in EOP](../office-365-security/configure-anti-phishing-policies-eop.md)|

+|Impersonation protection|Protect users from phishing attacks and configure safety tips on suspicious messages|Yes, but some configuration required.|Yes, but some configuration required.|[Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365](../office-365-security/set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) <br><br> [Impersonation insight in Defender for Office 365](../office-365-security/impersonation-insight.md) <br><br> [Configure anti-phishing policies in Microsoft Defender for Office 365](../office-365-security/configure-mdo-anti-phishing-policies.md)|

+|Safe Attachments policies|Protect users from malicious content in email attachments and files in SharePoint, OneDrive, and Teams.|Yes|Effectively, via Built-in protection|[Set up Safe Attachment policies in Defender for Office 365](../office-365-security/set-up-safe-attachments-policies.md)|

+|Safe Links policies|Protect users from opening and sharing malicious links in email messages or supported Office apps.|Yes|Effectively, via Built-in protection|[Set up Safe Links policies in Defender for Office 365](../office-365-security/set-up-safe-links-policies.md)|

+|Reports dashboard|On the left navigation menu, click Reports and expand the Email & collaboration heading. The Email & collaboration reports are about spotting security trends some of which will allow you to take action (through buttons like 'Go to submissions'), and others that will show trends. These metrics are generated automatically.|[View email security reports in the Microsoft 365 Defender portal](../office-365-security/view-email-security-reports.md) <br><br> [View Defender for Office 365 reports in the Microsoft 365 Defender portal](../office-365-security/view-reports-for-mdo.md)|

+- **Exchange Online Protection**, part of Microsoft Defender for Office 365, can detect the phishing email and use mail flow rules (also known as transport rules) to make certain it never arrives in the Inbox.

+- **Defender for Office 365** uses Safe Attachments to test the attachment and determine that it's harmful, so the mail that arrives either isn't actionable by the user, or policies prevent the mail from arriving at all.

+- Microsoft Defender for Office 365 safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools. It shares signals resulting from these activities with Microsoft 365 Defender. Exchange Online Protection (EOP) is integrated to provide end-to-end protection for incoming email and attachments.

+|Serial Number|Step|Description|

+||||

+|1|[Create the evaluation environment](eval-create-eval-environment.md)|This step ensures you have the trial license for Microsoft 365 Defender.|

+|2|[Enable Defender for Identity](eval-defender-identity-overview.md)|Review the architecture requirements, enable the evaluation, and walk through tutorials for identifying and remediating different attack types.|

+|3|[Enable Defender for Office 365](eval-defender-office-365-overview.md)|Ensure you meet the architecture requirements, enable the evaluation, and then create the pilot environment. This component includes Exchange Online Protection and so you will actually evaluate *both* here.|

+|4|[Enable Defender for Endpoint](eval-defender-endpoint-overview.md)|Ensure you meet the architecture requirements, enable the evaluation, and then create the pilot environment.|

+|5|[Enable Microsoft Defender for Cloud Apps](eval-defender-mcas-overview.md)|Ensure you meet the architecture requirements, enable the evaluation, and then create the pilot environment.|

+|6|[Investigate and respond to threats](eval-defender-investigate-respond.md)|Simulate an attack and begin using incident response capabilities.|

+|7|[Promote the trial to production](eval-defender-promote-to-production.md)|Promote the Microsoft 365 components to production one-by-one.|

+This order is commonly recommended and designed to leverage the value of the capabilities quickly based on how much effort is typically required to deploy and configure the capabilities. For example, Defender for Office 365 can be configured in less time than it takes to enroll devices in Defender for Endpoint. Of course, you should prioritize the components to meet your business needs, and can enable these in a different order.

+ - The default file types: `ace, apk, app, appx, ani, arj, bat, cab, cmd,com, deb, dex, dll, docm, elf, exe, hta, img, iso, jar, jnlp, kext, lha, lib, library, lnk, lzh, macho, msc, msi, msix, msp, mst, pif, ppa, ppam, reg, rev, scf, scr, sct, sys, uif, vb, vbe, vbs, vxd, wsc, wsf, wsh, xll, xz, z`.

+-  **Download email**: In the flyout that appears, configure the following settings:

+ - **Reason for downloading file**: Enter descriptive text.

+ - **Create password** and **Confirm password**: Enter a password that's required to open the downloaded message file.

+ When you're finished, click **Download**, and then **Done** to save a local copy of the message. The .eml message file is save in a compressed file named Quarantined Messages.zip in your **Downloads** folder. If the .zip file already exists, a number is appended to the filename (for example, Quarantined Messages(1).zip).

+-  **Download email**: In the flyout that appears, configure the following settings:

+ - **Reason for downloading file**: Enter descriptive text.

+ - **Create password** and **Confirm password**: Enter a password that's required to open the downloaded message file.

+ When you're finished, click **Download**, and then **Done** to save a local copy of the message. The .eml message file is save in a compressed file named Quarantined Messages.zip in your **Downloads** folder. If the .zip file already exists, a number is appended to the filename (for example, Quarantined Messages(1).zip).

+1. [Login to the Azure Portal](https://portal.azure.com) and navigate to **Microsoft Sentinel** > Pick the relevant workspace to integrate with Microsoft 365 Defender

+- Sufficient permissions (Global admin for add-in deployment, security admin for customization)

+1. On the flyout that appears, select who to deploy the add-in to. If testing you may wish to use a specific group, otherwise configure it for the **entire organization** ΓÇô when you've made a selection press **Next**.

+2. If you wish for notifications to come from an internal organizational mailbox, select **Specify Office 365 email address to use as sender** and search for a valid mailbox in your organization to send the notifications from.

+4. On the **Footer** tab, select the global footer to be sent for notifications, along with your organization's logo if appropriate.

+- The [Evaluation dashboard](try-microsoft-defender-for-office-365.md#reports-for-audit-mode) provides an easy view of the threats detected by Defender for Office 365 during evaluation.

+This section describes the reports that are available in audit mode and blocking mode.

+### Reports for blocking mode

+In **blocking mode**, the following reports show detections by Defender for Office 365:

+### Reports for audit mode

+In **audit mode**, the following reports show detections by Defender for Office 365:

+- The [Threat protection status report](view-email-security-reports.md#threat-protection-status-report) has **Evaluation: Yes/No** as a filterable property in the following views:

+ - [View data by Email \> Phish and Chart breakdown by Detection Technology](view-email-security-reports.md#view-data-by-email--phish-and-chart-breakdown-by-detection-technology)

+ - [View data by Email \> Malware and Chart breakdown by Detection Technology](view-email-security-reports.md#view-data-by-email--malware-and-chart-breakdown-by-detection-technology)

+ - [View data by Email \> Spam and Chart breakdown by Detection Technology](view-email-security-reports.md#view-data-by-email--spam-and-chart-breakdown-by-detection-technology)

+- [Threat Explorer](threat-explorer.md) shows the following banner in message detection details on the **Analysis** tab for **Bad attachment**, **spam url + malware**, **Phish url**, and **impersonation** messages that were detected by the Defender for Office 365 evaluation show the following banner in the details of the entry: