+- [Create protected PDFs from Office files](https://support.microsoft.com/topic/aba7e367-e482-49e7-b746-a385e48d01e4)

+|[Apply a default label](sensitivity-labels.md#what-label-policies-can-do) to existing documents | Rolling out to Current Channel: 2208+ <br /><br> Monthly Enterprise Channel: Under review <br /><br> Semi-Annual Enterprise Channel: Under review | Rolling out to 16.63+ | Under review | Under review | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |

+For end user documentation, see [Create protected PDFs from Office files](https://support.microsoft.com/topic/aba7e367-e482-49e7-b746-a385e48d01e4).

+- [Create protected PDFs from Office files](https://support.microsoft.com/topic/aba7e367-e482-49e7-b746-a385e48d01e4)

+ > Default labeling for existing documents is newly supported for built-in labeling for Office apps. For more information about the rollout per app and minimum versions, see the [capabilities table](sensitivity-labels-office-apps.md#sensitivity-label-capabilities-in-word-excel-and-powerpoint) for Word, Excel, and PowerPoint.

+

+

+|Server hardware|Server hardware requirements have changed from Exchange 2013. Make sure your hardware is compatible. Find out more about hardware requirements here: <p> [Exchange 2019 system requirements](/exchange/plan-and-deploy/system-requirements?view=exchserver-2019&preserve-view=true) <p>With the significant improvements in Exchange performance and the increased computing power and storage capacity in newer servers, you'll likely need fewer servers to support the same number of mailboxes.|

+|Office client versions|The minimum supported Office client version is also documented in the [Exchange Supportability Matrix](/exchange/plan-and-deploy/supportability-matrix?view=exchserver-2019#clients&preserve-view=true).|

+- Active Directory [schema changes for Exchange 2019](/exchange/plan-and-deploy/active-directory/ad-schema-changes?view=exchserver-2019&preserve-view=true)

+- System [requirements for Exchange 2019](/exchange/plan-and-deploy/system-requirements?view=exchserver-2019&preserve-view=true)

+[Web protection](web-protection-overview.md) helps to secure devices against web threats and protect users from phishing attacks. Note that anti-phishing and custom indicators (URL and IP addresses) are supported as part of web protection. Web content filtering is currently not supported on mobile platforms.

+1. For **Android Enterprise work profile**, end user controls will not be visible. Admins control these settings.

+> [!IMPORTANT]

+>

+> Currently, only the **Antivirus Health JSON Response** is generally available. **Antivirus Health API via files** is currently only available in public preview.

+>

+> **Advanced Hunting custom query** is currently only available in public preview, even if the queries are still visible.

+> [!IMPORTANT]

+> Information in this section relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

+ms.localizationpriority: medium

+> [!IMPORTANT]

+>

+> Currently, only the **Antivirus Health JSON Response** is generally available. **Antivirus Health API via files** is currently only available in public preview.

+>

+> **Advanced Hunting custom query** is currently only available in public preview, even if the queries are still visible.

+> [!IMPORTANT]

+> Information in this section relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

+ Title: Get the device secure score

+1. On the **Add app** page, click on **Search the App Store** and type **Microsoft Defender** in the search bar. In the search results section, click on *Microsoft Defender* and click **Select**.

+## Report access permissions

+1. Sign in to <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender</a> using account with Security administrator or Global administrator role assigned.

+1. Select **Edit**.

+## Sensor health & OS tab

+>:::image type="content" source="images/device-health-sensor-health-os-tab.png" alt-text="Shows Sensor health and Operating system information." lightbox="images/device-health-sensor-health-os-tab.png":::

+### Current state graph

+>:::image type="content" source="images/device-health-sensor-health-os-current-state-graph.png" alt-text="Shows the current state graph." lightbox="images/device-health-sensor-health-os-current-state-graph.png":::

+### Device trends graph

+>:::image type="content" source="images/device-health-sensor-health-os-device-trends-graph.png" alt-text="Shows the Device Health versions trends graph." lightbox="images/device-health-sensor-health-os-device-trends-graph.png":::

+### Filtering data

+### Sensor health card

+> [!NOTE]

+>

+> In a small percentage of cases, the numbers and distributions reported when clicking on the horizontal Sensor health bar graph will be out of synch with the values shown in the **Device inventory** page. The disparity in values can occur because the Sensor Health Reports has a different refresh cadence than the Device Inventory page.

+### Operating systems and platforms card

+For example, Secure Boot (introduced in Windows 8) practically eliminated the threat from some of the most harmful types of malware. Improvements in Windows 10 provide PC manufacturers the option to prevent users from disabling Secure Boot. Preventing users from disabling Secure Boot removes almost any chance of malicious rootkits or other low-level malware from infecting the boot process.

+Ideally, the ΓÇ£Current stateΓÇ¥ graph shows that the number of operating systems is weighted in favor of more current OS over older versions. Otherwise, the trends graph indicates that new systems are being adopted and/or older systems are being updated or replaced.

+### Windows 10 versions card

+The Windows 10 versions card shows the distribution of Windows devices and their versions in your organization.

+## Microsoft Defender Antivirus health tab

+| The three version cards provide flyout reports that provide additional information, and enable further exploration. | The three up-to-date reporting cards provide links to resources to learn more. |

+^{[1](#fn1)} For the three _updates_ cards (also known as up-to-date reporting cards), "**No data available**" (or "Unknown" value) indicates devices that aren't reporting update status. Devices that aren't reporting update status can be due to various reasons, such as:

+- Cloud protection isn't enabled

+- Device does not meet pre-requisites for Antivirus engine or platform version

+### Prerequisites

+Up to date reporting generates information for devices that meet the following criteria:

+- Engine version: 1.1.19300.2+

+- Platform version: 4.18.2202.1+

+- Cloud protection enabled

+- Windows OS*

+*Currently up to date reporting is only available for windows devices. Cross platform devices such as Mac and Linux are listed under ΓÇ£no data availableΓÇ¥

+>:::image type="content" source="images/device-health-defender-antivirus-health-tab.png" alt-text="Shows the Microsoft Defender Antivirus Health tab." lightbox="images/device-health-defender-antivirus-health-tab.png":::

+### Card functionality

+>:::image type="content" source="images/device-health-defender-antivirus-health-antivirus-details.png" alt-text="Shows the Microsoft Defender Antivirus details flyout." lightbox="images/device-health-defender-antivirus-health-antivirus-details.png":::

+To add or remove specific types of information on the **Microsoft Defender Antivirus details** flyout, select **Customize Columns**. In **Customize Columns**, select or clear items to specify what you want included in the Microsoft Defender Antivirus details report.

+>:::image type="content" source="images/device-health-defender-antivirus-engine-version-details-custom-columns.png" alt-text="Shows custom column options for Microsoft Defender Antivirus health reporting." lightbox="images/device-health-defender-antivirus-engine-version-details-custom-columns.png":::

+#### New Microsoft Defender Antivirus filter definitions

+The following table contains a list terms that are new to Microsoft Defender Antivirus reporting.

+| Column name | Description |

+|:|:|

+| Security intel publish time | Indicates MicrosoftΓÇÖs release date of the security intelligence update version on the device. Devices with a security intelligence publish time greater than 7 days are considered out of date in the reports. |

+| Last seen | Indicates date when device last had connection. |

+| Data refresh timestamp | Indicates when client events were last received for reporting on AV mode, AV engine version, AV platform version, AV security intelligence version, and scan information. |

+| Signature refresh time | Indicates when client events were last received for reporting on engine, platform, and signature up to date status. |

+#### Export report

+There are two levels of reports that you can export:

+##### Top level export

+There are two different export csv functionalities through the portal:

+- **Top-level export** You can use the top level **Export** button to gather an all-up Microsoft Defender Antivirus health report (500K limit).

+>:::image type="content" source="images/device-health-defender-antivirus-health-tab-export.png" alt-text="Shows the top-level export report button" lightbox="images/device-health-defender-antivirus-health-tab-export.png":::

+- **Flyout level export** You can use the **Export** button within the flyouts to export a report to an Excel spreadsheet (100K limit).

+Exported reports capture information based on your entry-point into the details report and which filters or customized columns you have set.

+For information on exporting using API, see the following articles:

+> [!IMPORTANT]

+>

+> Currently, only the **Antivirus Health JSON Response** is generally available. **Antivirus Health API via files** is currently only available in public preview.

+>

+> **Advanced Hunting custom query** is currently only available in public preview, even if the queries are still visible.

+### Microsoft Defender Antivirus version and update cards functionality

+#### Full report

+In any of the three _version_ cards, select **View full report** to display the nine most recent Microsoft Defender Antivirus _version_ reports for each of the three device types: Windows, Mac, and Linux; if fewer than nine exist, they're all shown. An **Other** category captures recent antivirus engine versions ranking tenth and below, if detected.

+>:::image type="content" source="images/device-health-defender-antivirus-health-view-full-report.png" alt-text="Shows the distribution of the top nine operating systems of each type" lightbox="images/device-health-defender-antivirus-health-view-full-report.png":::

+>:::image type="content" source="images/device-health-defender-antivirus-health-antivirus-details-up-to-date.png" alt-text="Shows Microsoft Defender Antivirus version details" lightbox="images/device-health-defender-antivirus-health-antivirus-details-up-to-date.png":::

+### Card descriptions

+#### Antivirus mode card

+>:::image type="content" source="images/device-health-defender-antivirus-health-antivirus-mode.png" alt-text="Shows filtering Microsoft Defender Antivirus modes" lightbox="images/device-health-defender-antivirus-health-antivirus-mode.png":::

+#### Recent antivirus scan results card

+#### Antivirus engine version card

+#### Antivirus security intelligence version card

+For more information on the current versions and how to update the different Microsoft Defender Antivirus components, see [Microsoft Defender Antivirus platform support](manage-updates-baselines-microsoft-defender-antivirus.md)

+#### Up-to-date cards

+The up-to-date cards show the up-to-date status for **Antivirus engine**, **Antivirus platform**, and **Security intelligence** update versions. There are three possible states: _Up to date_ (‘True’), _out of date_ (‘False’), and _no data available_ (‘Unknown’).

+Definitions for _up-to-date_, _out-of-date_, and _no_data_available_ are provided for each card below.

+Microsoft Defender Antivirus (MDAV) make up-to-date reports makes determinations based on the following criteria:

+- **For engine & platform updates**: the time client events were last received for up to date reports (ΓÇ£Signature Refresh timeΓÇ¥) and Security Intelligence Publish Time (security intelligence VDMs are also used to determine engine & platform versions)

+- **For security intelligence updates**: the time client events were last received for up to date reports (ΓÇ£Signature Refresh timeΓÇ¥), Security Intelligence Publish Time, and the last up-to-date status communicated from client

+For more information about the aforementioned terms, refer back to the section: [New Microsoft Defender Antivirus filter definitions](#new-microsoft-defender-antivirus-filter-definitions)

+> [!NOTE]

+>

+> Up to date reporting **prerequisites**

+>

+> Up to date reporting generates information for devices that meet the following criteria:

+>

+> - Engine version: 1.1.19300.2+

+> - Platform version: 4.18.2202.1+

+> - Cloud protection enabled

+> - Windows OS*

+>

+>*Currently up to date reporting is only available for windows devices. Cross platform devices such as Mac and Linux are listed under ΓÇ£no data availableΓÇ¥

+>

+##### Up-to-date examples

+| The engine/platform on the device is considered: | If: |

+|:|:|

+| **up-to-date** | the device communicated with the Defender report event (‘Signature refresh time’) within last 7 days and has a security intelligence publish time within last 7 days and the Engine or Platform version build time is within last 60 days. |

+| **out-of-date** | the device communicated with the Defender report event (‘Signature refresh time’) within last 7 days and has a security intelligence publish time within last 7 but Engine or Platform version build time is older than 60 days. |

+| **unknown (no data available)** | the device has not communicated with the report event (ΓÇÿSignature refresh timeΓÇÖ) for more than 7 days, or the security intelligence publish time is greater than 7 days. |

+**The security intelligence update is considered up-to date** If the security intelligence version on the device was written in the past 7 days and the device has communicated with the report event in past 7 days

+For more information on these, see:

+- [Antivirus engine updates card](#antivirus-engine-updates-card)

+- [Security intelligence updates card](#security-intelligence-updates-card)

+- [Antivirus platform updates card](#antivirus-platform-updates-card)

+##### Antivirus engine updates card

+This card identifies devices that have antivirus engine versions that are up to date versus out of date.

+**The general definition of ΓÇÿ_Up to date_ΓÇÖ** - the engine version on the device is the most recent engine release (the Engine is _usually_ released monthly, via Windows Update (WU)). There's a three-day grace period from the day when Windows Update (WU) is released.

+The following table lays out the possible values for up to date reports for **Antivirus Engine**. Reported Status is based on the last time reporting event was received, and security intelligence publish time.

+| EventΓÇÖs Last Refresh Time (aka ΓÇ£Signature Refresh TimeΓÇ¥ in reports) | Security Intelligence Publish Time | _Reported Status_: |

+|:-|:-|:-|

+| < 7 days (new) | < 7 days (new) | _Up to date/ Out of Date/ Unknown (whatever client reports)_ |

+| > 7 days (old) | > 7 days (old) | _Unknown_ |

+| < 7 days (new) | > 7 days (old) | _Unknown_ |

+| > 7 days (old) | < 7 days (new) | _Unknown_ |

+For information about Manage Microsoft Defender Antivirus update versions, see:ΓÇ»[Monthly platform and engine versions](manage-updates-baselines-microsoft-defender-antivirus.md#monthly-platform-and-engine-versions)

+#### Antivirus platform updates card

+This card identifies devices that have Antivirus platform versions that are up to date versus out of date.

+**The general definition of ‘Up to date’** The platform version on the device is the most recent platform release (Platform is usually released monthly, via Windows Update). There's a three-day grace period from the day when WU is released.

+The following table lays out the possible up to date report values for **Antivirus Platform**. Reported values are based on the last time reporting event was received, and security intelligence publish time.

+| EventΓÇÖs Last Refresh Time (aka ΓÇ£Signature Refresh TimeΓÇ¥ in reports) | Security Intelligence Publish Time | _Reported Status_: |

+|:-|:-|:-|

+| < 7 days (new) | < 7 days (new) | _Up to date/ Out of Date/ Unknown (whatever client reports)_ |

+| > 7 days (old) | > 7 days (old) | _Unknown_ |

+| < 7 days (new) | > 7 days (old) | _Unknown_ |

+| > 7 days (old) | < 7 days (new) | _Unknown_ |

+For information about Manage Microsoft Defender Antivirus update versions, see: [Monthly platform and engine versions](manage-updates-baselines-microsoft-defender-antivirus.md#monthly-platform-and-engine-versions)

+##### Security intelligence updates card

+This card identifies devices that have security intelligence versions that are up to date versus out of date.

+**The general definition of ΓÇÿUp to dateΓÇÖ** ΓÇô the security intelligence version on the device was written in the past 7 days.

+The following table lays out the possible up to date report values for **Security Intelligence** updates. Reported values are based on the last time reporting event was received, and security intelligence publish time.

+| EventΓÇÖs Last Refresh Time (aka ΓÇ£Signature Refresh TimeΓÇ¥ in reports) | Security Intelligence Publish Time | _Reported Status_: |

+|:-|:-|:-|

+| >7 days (old) | >7 days (old) | Up to date | _Unknown_ |

+| <7 days (new) | >7 days (old) | Up to Date | _Unknown_ |

+| >7 days (old) | <7 days (new) | Up to date | _Unknown_ |

+| <7 days (new) | <7 days (new) | Unknown | _Unknown_|

+| <7 days (new) | <7 days (new) | Up to Date | _Up to Date_ |

+| >7 days (old) | <7 days (new) | Out of date | _Out of Date_ |

+| >7 days (old) | >7 days (old) | Out of date | _Out of Date_ |

+| <7 days (new) | >7 days (old) | Out of Date | _Out of Date_ |

+## See also

+- [Export device antivirus health details API methods and properties](device-health-api-methods-properties.md)

+- [Export device antivirus health report](device-health-api-methods-properties.md)

+> For antivirus-related information for other platforms, see:

+>

+## License requirement

+In order to be eligible to purchase Microsoft Defender for Endpoint Server SKU, you must have already purchased a combined minimum of any of the following: Windows E5/A5, Microsoft 365 E5/A5, or Microsoft 365 E5 Security subscription licenses. For more information on licensing, see the [Product Terms](https://www.microsoft.com/licensing/terms/productoffering/MicrosoftDefenderforEndpointServer/all).

+2. The results will include a maximum of 10,000 rows.

+1. WpnService (Windows Push Notifications System Service) is not disabled.

+2. WpnService connectivity with WNS cloud is not disabled via group policy or MDM setting. ['Turn off notifications network usage'](/windows/client-management/mdm/policy-csp-notifications) should not be set to '1'.

+f1.keywords:

+|Call-out|Description|

+|||

+|1|The host server for the external sender typically performs a public DNS lookup for an MX record, which provides the target server to relay the message. This referral can either be Exchange Online (EXO) directly or an SMTP gateway that has been configured to relay against EXO.|

+|2|Exchange Online Protection negotiates and validates the inbound connection and inspects the message headers and content to determine what extra policies, tagging, or processing is required.|

+|3|Exchange Online integrates with Microsoft Defender for Office 365 to offer more advanced threat protection, mitigation, and remediation.|

+|4|A message that is not malicious, blocked, or quarantined is processed and delivered to the recipient in EXO where user preferences related to junk mail, mailbox rules, or other settings are evaluated and triggered.|

+|5|Integration with on-premises Active Directory can be enabled using Azure AD Connect to synchronize and provision mail-enabled objects and accounts to Azure Active Directory and ultimately Exchange Online.|

+|6|When integrating an on-premises environment, it is encouraged to use an Exchange server for supported management and administration of mail-related attributes, settings, and configurations|

+|7|Microsoft Defender for Office 365 shares signals to Microsoft 365 Defender for extended detection and response (XDR).|

+|Concept|Description|More information|

+||||

+|Exchange Online Protection|Exchange Online Protection (EOP) is the cloud-based filtering service that helps protect your organization against spam and malware emails. EOP is included in all Microsoft 365 licenses that include Exchange Online.|[Exchange Online Protection overview](../office-365-security/exchange-online-protection-overview.md)|

+|Anti-malware protection|Organizations with mailboxes in EXO are automatically protected against malware.|[Anti-malware protection in EOP](../office-365-security/anti-malware-protection.md)|

+|Anti-spam protection|Organizations with mailboxes in EXO are automatically protected against junk mail and spam policies.|[Anti-spam protection in EOP](../office-365-security/anti-spam-protection.md)|

+|Anti-phishing protection|MDO offers more advanced anti-phishing protection related to spear phishing, whaling, ransomware, and other malicious activities.|[Extra anti-phishing protection in Microsoft Defender for Office 365](../office-365-security/anti-phishing-protection.md)|

+|Anti-spoofing protection|EOP includes features to help protect your organization from spoofed (forged) senders.|[Anti-spoofing protection in EOP](../office-365-security/anti-spoofing-protection.md)|

+|Safe Attachments|Safe Attachments provides an extra layer of protection by using a virtual environment to check and "detonate" attachments in email messages before they are delivered.|[Safe Attachments in Microsoft Defender for Office 365](../office-365-security/safe-attachments.md)|

+|Safe Attachments for SharePoint, OneDrive, and Microsoft Teams|In addition, Safe Attachments for SharePoint, OneDrive, and Microsoft Teams offers an extra layer of protection for files that have been uploaded to cloud storage repositories.|[Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](../office-365-security/mdo-for-spo-odb-and-teams.md)|

+|Safe Links|Safe Links is a feature that provides URL scanning and rewriting within inbound email messages and offers verification of those links before they are delivered or clicked.|[Safe Links in Microsoft Defender for Office 365](../office-365-security/safe-links.md)|

+Return to the overview for [Evaluate and pilot Microsoft 365 Defender](eval-overview.md)

+- [Step 1: Audit and verify the public MX record](#step-1-audit-and-verify-the-public-mx-record)

+- [Step 2: Audit accepted domains](#step-2-audit-accepted-domains)

+- [Step 3: Audit inbound connectors](#step-3-audit-inbound-connectors)

+- [Step 4: Activate the evaluation](#step-4-activate-the-evaluation)

+## Step 1: Audit and verify the public MX record

+To effectively evaluate Microsoft Defender for Office 365, it's important that inbound external email is relayed through the Exchange Online Protection (EOP) instance associated with your tenant.

+1. In the M365 Admin Portal at <https://admin.microsoft.com>, expand *...Show all* if necessary, expand *Settings*, and then select **Domains**. Or, to go directly to the *Domains* page, use <https://admin.microsoft.com/Adminportal/Home#/Domains>.

+2. On the *Domains* page, select your verified email domain by clicking anywhere on the entry other than the check box.

+3. In the domain details flyout that opens, select the **DNS records** tab. Make note of the MX record that's generated and assigned to your EOP tenant.

+4. Access your external (public) DNS zone and check the primary MX record associated with your email domain:

+ - *If your public MX record currently matches the assigned EOP address (for example, contoso-com.mail.protection.outlook.com) then no further routing changes should be required*.

+## Step 2: Audit accepted domains

+1. In the Exchange admin center (EAC) at <https://admin.exchange.microsoft.com>, expand *Mail flow*, and then click **Accepted domains**.Or, to go directly to the *Accepted domains* page, use <https://admin.exchange.microsoft.com/#/accepteddomains>.

+2. On the *Accepted domains* page, make note of the **Domain type** value for your primary email domain.

+ - If the domain type is set to **Authoritative** then it is assumed all recipient mailboxes for your organization currently reside in Exchange Online.

+ - If the domain type is set to **InternalRelay** then you may still be in a hybrid model where some recipient mailboxes still reside on-premises.

+## Step 3: Audit inbound connectors

+1. In the Exchange admin center (EAC) at <https://admin.exchange.microsoft.com>, expand *Mail flow*, and then click **Connectors**. Or, to go directly to the *Connectors* page, use <https://admin.exchange.microsoft.com/#/connectors>.

+2. On the *Connectors* page, make note of any connectors with the following settings:

+ - The **From** value is **Partner org** that might correlate to a third-party SMTP gateway.

+ - The **From** value is **Your org** that might indicate you're still in a hybrid scenario.

+## Step 4: Activate the evaluation

+For detailed information, see [Try Microsoft Defender for Office 365](../office-365-security/try-microsoft-defender-for-office-365.md).

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com> expand *Email & collaboration* \> select **Policies & rules** \> select **Threat policies** \> scroll down to the *Others* section, and then select **Evaluation mode**. Or, to go directly to the *Evaluation mode* page, use <https://security.microsoft.com/atpEvaluation>.

+2. On the *Evaluation mode* page, click **Start evaluation**.

+ :::image type="content" source="../../medio-eval-activate-eval_05.png":::

+3. In the *Turn on protection* dialog, select **No, I only want reporting**, and then click **Continue**.

+ :::image type="content" source="../../medio-eval-activate-eval_06.png":::

+4. In the *Select the users you want to include* dialog, select **All users**, and then click **Continue**.

+ :::image type="content" source="../../medio-eval-activate-eval_07.png":::

+5. In the *Help us understand your mail flow* dialog, one of the following options is automatically selected based on our detection of the MX record for your domain:

+ - **I'm only using Microsoft Exchange Online**: The MX records for your domain point to Microsoft 365. There's nothing left to configure, so click **Finish**.

+ :::image type="content" source="../../medio-eval-activate-eval_08a.png":::

+ - **I'm using a third-party and/or on-premises service provider**: In the upcoming screens, select the vendor name along with the inbound connector that accepts mail from that solution. You also decide if you need an Exchange Online mail flow rule (also known as a transport rule) that skips spam filtering for incoming messages from the third-party protection service or device. When you're finished, click **Finish**.

+f1.keywords:

+This article outlines the process to enable and pilot Microsoft Defender for Office 365. Before starting this process, be sure you've reviewed the overall process for [evaluating Microsoft 365 Defender](eval-overview.md), and you've [created the Microsoft 365 Defender evaluation environment](eval-create-eval-environment.md).

+|Step number|Link|Description|

+||||

+|1|[Review architecture requirements and key concepts](eval-defender-office-365-architecture.md)|Understand the Defender for Office architecture and be sure your Exchange Online environment meets the architecture prerequisites.|

+|2|[Enable the evaluation environment](eval-defender-office-365-enable-eval.md)|Follow the steps to set up the evaluation environment.|

+|3|[Set up the pilot](eval-defender-office-365-pilot.md)|Create pilot groups, configure protection, and become familiar with key features and dashboards.|

+ Title: Pilot Microsoft Defender for Office 365, use the evaluation in your production environment

+f1.keywords:

+ :::image type="content" source="../../medio-eval-pilot.png":::

+ :::image type="content" source="../../medio-eval-pilot-add-group.png":::

+ :::image type="content" source="../../medio-eval-pilot-group-type.png":::

+ :::image type="content" source="../../medio-eval-pilot-set-up-basics.png":::

+- **Assign preset security policies automatically**: [Preset security policies](../office-365-security/preset-security-policies.md) are provided as a method to quickly assign a uniform level of protection across all of the capabilities. You can choose from ***Standard*** or ***Strict***. A good approach is to start with preset security policies and then fine-tune the policies as you learn more about the capabilities and your own unique threat environment. The advantage here is that you protect groups of users as quickly as possible, with the ability to tweak protection afterward. (This method is recommended.)

+- **Configure baseline protection manually**: If you prefer to configure the environment yourself, you can quickly achieve a *baseline* of protection by following the guidance in [Protect against threats](../office-365-security/protect-against-threats.md). With this approach, you get to learn more about the settings that are configurable. And, you can fine-tune the policies later.

+- **Configure *custom* protection policies**: You can also build and assign custom protection policies as part of your evaluation. Before you start customizing policies, it's important to understand the precedence in which these protection policies are applied and enforced. Security ops will need to create some policies even if when the preset is applied, in specific in order to define security policies for Safe Links and Safe Attachments.

+> **If you need to configure custom protection policies**, you should examine the values that make up the **Standard** and **Strict** security definitions here: [Recommended settings for EOP and Microsoft Defender for Office 365 security](../office-365-security/recommended-settings-for-eop-and-office365.md). Default values, as seen before any configuration takes place are also listed. Keep a spreadsheet of where your custom build deviates.

+ :::image type="content" source="../../medio-eval-pilot-policies.png":::

+ :::image type="content" source="../../medio-eval-pilot-threat-policies.png":::

+ :::image type="content" source="../../medio-eval-pilot-template-policies.png":::

+ :::image type="content" source="../../medio-eval-pilot-preset.png":::

+ :::image type="content" source="../../medio-eval-pilot-eop-protections.png":::

+ :::image type="content" source="../../medio-protections.png":::

+|Connection filtering|Identify good or bad source email servers by their IP addresses.|[Configure the default connection filter policy in EOP](../office-365-security/configure-the-connection-filter-policy.md)|

+|Anti-malware|Protect users from email malware including what actions to take and who to notify if malware is detected.|[Configure anti-malware policies in EOP](../office-365-security/configure-anti-malware-policies.md)|

+|Anti-spoofing|Protect users from spoofing attempts using spoof intelligence and spoof intelligence insights.|[Configure spoof intelligence in Defender for Office 365](../office-365-security/learn-about-spoof-intelligence.md)|

+|Anti-spam|Protect users from email spam including what actions to take if spam is detected.|[Configure anti-spam policies in Defender for Office 365](../office-365-security/configure-your-spam-filter-policies.md)|

+|Anti-phishing|Protect users from phishing attacks and configure safety tips on suspicious messages|[Configure anti-phishing policies in Defender for Office 365](../office-365-security/configure-mdo-anti-phishing-policies.md)|

+|Attack simulation training|You can use Attack simulation training in the Microsoft 365 Defender portal to run realistic attack scenarios in your organization, which help you identify and find vulnerable users before a real attack impacts your environment.|[Get started using Attack simulation training](../office-365-security/attack-simulation-training-get-started.md)|

+The [Microsoft 365 Defender portal](https://sip.security.microsoft.com/homepage) combines protection, detection, investigation, and response to email, collaboration, identity, device, and cloud app threats, in a central place. The Microsoft 365 Defender portal emphasizes quick access to information, simpler layouts, and bringing related information together for easier use. It includes:

+ Title: Getting started with defense in-depth configuration for email security

+description: Step-by-step configuration guidance on how to get security value from Microsoft Defender for Office 365 when you have third party email filtering.

+search.product:

+search.appverid:

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+f1.keywords:

+ - NOCSH

+ms.localizationpriority: medium

+audience: ITPro

+ms.technology: mdo

+# Getting the best security value from Microsoft Defender for Office 365 when you have third party email filtering

+This guide is for you if:

+- YouΓÇÖre licensed for Microsoft Defender for Office 365 and host your mailboxes in Office 365

+- You're also using a third party for your email security

+The information below will detail how to get the most out of your investment, broken down into easy to follow steps.

+## What you will need

+- Mailboxes hosted in Office 365

+- One or more of:

+ - Microsoft Defender for Office 365 Plan 1 for protection features

+ - Microsoft Defender for Office 365 Plan 2 for most other features (included in E5 plans)

+ - Microsoft Defender for Office 365 Trial (available to all customers at aka.ms/tryMDO)

+- Sufficient permissions to configure the features discussed below

+## Step 1 ΓÇô Understand the value you already have

+### Protection features

+- Built-in protection offers a base level of unobtrusive protection, and includes malware, zero day (Safe Attachments), and URL protection (Safe Links) in email (including internal email), SharePoint Online, OneDrive, and Teams. Note that URL protection provided in this state is via API call only. It doesn't wrap or rewrite URLs but does require a supported Outlook client. You can create your own custom policies to expand your protection.

+**Read more & watch an overview video of Safe Links here :** [Complete Safe Links overview](../safe-links.md)

+**Read more about Safe Attachments here :** [Safe Attachments](../safe-attachments.md)

+### Detection, investigation, response and hunting features

+- When alerts fire in Microsoft Defender for Office 365, they're automatically correlated, and combined into Incidents to help reduce the alert fatigue on security staff. Automated Investigation and Response (AIR) will trigger investigations to help remediate and contain threats.

+**Read more, watch an overview video and get started here :** [Incident response with Microsoft 365 Defender](/microsoft-365/security/defender/incidents-overview)

+- Threat Analytics is our in-product detailed threat intelligence solution from expert Microsoft security researchers, detailed reports designed to get you up to speed on the latest threat groups, attack techniques, how to protect your organization with Indicators of Compromise (IOC) and much more.

+**Read more, watch an overview video and get started here :** [Threat analytics in Microsoft 365 Defender](../../defender/threat-analytics.md)

+- Explorer can be used to hunt threats, visualize mail flow patterns, spot trends, and identify the impact of changes you make during tuning Defender for Office 365. You can also quickly delete messages from your organization with a few simple clicks.

+**Read more, and get started here:** [Threat Explorer and Real-time detections](../threat-explorer.md)

+## Step 2 ΓÇô Enhance the value further with these simple steps

+### Protection features

+- Consider enabling policies beyond the built-in Protection. Enabling time-of-click protection, or impersonation protection, for example, to add extra layers or fill gaps missing from your third party protection. Be aware that if you have a transport rule or connection filter that is overriding verdicts (this also can be known as SCL-1) you'll need to address this before turning on other protection features.

+**Read more here:** [Anti-phishing policies](../set-up-anti-phishing-policies.md)

+- If your current security provider is configured to modify messages *in any way*, itΓÇÖs important to note that authentication signals can impact the ability for Defender for Office to protect you against attacks such as spoofing. If your third party supports Authenticated Received Chain (ARC), then enabling this is a highly recommended step in your journey to advanced dual filtering. Moving any message modification configuration to Defender for Office 365 is also an alternative.

+**Read more here:** [Use Trusted ARC senders for legitimate devices and services between the sender and receiver](../use-arc-exceptions-to-mark-trusted-arc-senders.md)

+- Enhanced Filtering for connectors allows IP address and sender information to be preserved through the third party. This improves accuracy for the filtering (protection) stack, post breach capabilities & authentication improvements.

+**Read more here:** [Enhanced filtering for connectors in Exchange Online](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors)

+- Priority account protection will offer enhanced visibility for accounts in tooling, along with additional protection when in an advanced defense in-depth configuration state.

+**Read more here:** [Priority account protection](protect-your-c-suite-with-priority-account-protection.md)

+- Advanced Delivery should be configured to deliver any third party phish simulations correctly, and if you have a Security Operations mailbox, consider defining it as a SecOps mailbox to ensure emails *do not* get removed from the mailbox due to threats.

+**Read more here:** [Advanced delivery](../configure-advanced-delivery.md)

+- User-reported email settings can be configured to allow users to report messages, directly to Microsoft, or to your custom mailbox (to integrate with current security workflows) or both, the submissions portal can also be accessed to triage false positives and false negatives.

+**Read more here:** [Deploy and configure the report message add-in to users](deploy-and-configure-the-report-message-add-in.md)

+### Detection, investigation, response, and hunting features

+- Advanced hunting can be used to proactively hunt for threats in your organization, using shared queries from the community to help you get started. You can also use custom detections to set up alerts when personalized criteria are met.

+**Read more, watch an overview video and get started here:** [Overview - Advanced hunting](../../defender/advanced-hunting-overview.md)

+### Education features

+- Attack simulation training allows you to run realistic but benign cyber-attack scenarios in your organization. If you don't already have phishing simulation capabilities from your primary email security provider, MicrosoftΓÇÖs simulated attacks can help you identify and find vulnerable users, policies, and practices. This is important knowledge to have and correct *before* a real attack impacts your organization. Post simulation we assign in product or custom training to educate users about the threats they missed, ultimately reducing your organization's risk profile. With Attack simulation training we deliver messages directly into the inbox, so the user experience is rich. This also means no security changes such as overrides needed to get simulations delivered correctly.

+**Get started here:** [Get started using Attack simulation](../attack-simulation-training-get-started.md)

+**Jump right into delivering a simulation here:** [How to setup automated attacks and training within Attack simulation training](how-to-setup-attack-simulation-training-for-automated-attacks-and-training.md)

+## Step 3 and beyond, becoming a dual use hero

+- Many of the detection, investigation, response, and hunting activities described above should be repeated by your security teams. This guidance offers a detailed description of tasks, cadence, and team assignments we would recommend.

+**Read More:** [Security Operations Guide for Defender for Office 365](../mdo-sec-ops-guide.md)

+- Consider user experiences such as accessing multiple quarantines, or the submission / reporting of false positives and false negatives. You can mark messages which are detected by the third party service with a custom *X* header, for example, to allow Defender for Office 365 to detect and quarantine them via transport rules, which would also give users a single place to access quarantined mail.

+**Read More:** [How to configure quarantine permissions and policies](how-to-configure-quarantine-permissions-with-quarantine-policies.md)

+- The Migration guide contains lots of useful guidance on preparing and tuning your environment to ready it for a migration. But many of the steps are *also* applicable to a dual-use scenario. Simply ignore the MX switch guidance in the final steps.

+**Read it here:** [Migrate from a third-party protection service to Microsoft Defender for Office 365 - Office 365 | Microsoft Docs](../migrate-to-defender-for-office-365.md)

+## More information

+[Migrate from a third-party protection service to Microsoft Defender for Office 365](../migrate-to-defender-for-office-365.md)

+[Security Operations Guide for Defender for Office 365](../mdo-sec-ops-guide.md)

+[Get more out of Microsoft Defender for Office 365 with Microsoft 365 Defender](https://www.youtube.com/watch?v=Tdz6KfruDGo)

+ Title: Track and respond to emerging security threats with campaigns view in Microsoft Defender for Office 365

+description: Walkthrough of threat campaigns within Microsoft Defender for Office 365 to demonstrate how they can be used to investigate a coordinated email attack against your organization.

+search.product:

+search.appverid:

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+f1.keywords:

+ - NOCSH

+ms.localizationpriority: medium

+audience: ITPro

+ms.technology: mdo

+# Track and respond to emerging threats with campaigns in Microsoft Defender for Office 365

+Campaigns can be used to track and respond to emerging threats because campaigns allow you to investigate a coordinated email attack against your organization. As new threats target your organization, Microsoft Defender for Office 365 will automatically detect and correlate malicious messages.

+## What you will need

+- Microsoft Defender for Office 365 Plan 2 (included in E5 plans).

+- Sufficient permissions (Security Reader role).

+- Five to ten minutes to perform these steps.

+## What is a campaign in Microsoft Defender for Office 365

+A campaign is a coordinated email attack against one or many organizations. Email attacks that steal credentials and company data are a large and lucrative industry. As technologies to stop attacks grow and multiply, attackers modify their methods to continue their success.

+Microsoft leverages vast amounts of anti-phishing, anti-spam, and anti-malware data across the entire service to help identify campaigns. We analyze and classify the attack information according to several factors, for example:

+- **Attack source**: The source IP addresses and sender email domains.

+- **Message properties**: The content, style, and tone of the messages.

+- **Message recipients**: How recipients are related, for example, recipient domains, recipient job functions (such as admins and executives), company types (such as large, small, public, and private), and industries.

+- **Attack payload**: Malicious links, attachments, or other payloads in the messages.

+A campaign might be short-lived, or could span several days, weeks, or months with active and inactive periods. A campaign might be launched against your specific organization, or your organization might be part of a larger campaign across *multiple* companies.

+> [!TIP]

+> To learn more about the data available within a campaign, read [Campaign Views in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/campaigns).

+## Watch the *Exploring campaign views* video

+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWGBL8]

+## Investigating a suspicious email campaign using threat reports

+In the event that a campaign has targeted your organization and youΓÇÖd like to learn more about the impact:

+1. Navigate to the [campaign page](https://security.microsoft.com/campaigns).

+1. Select the campaign name that you would like to investigate.

+1. Upon the flyout opening, select **Download threat report**.

+1. Open the threat report and it will provide more information surrounding the campaign. The information in the report includes:

+- **Executive summary:** High-level summary of the type of campaign and the number of users targeted in your organization.

+- **Analysis:** Timeline chart of when the campaign started, the count of messages targeting your organization, and the destination and verdicts of the messages.

+- **Attack origin:** Top sending IP addresses and domains with a count of messages that were delivered to inboxes in your organization. This allows you to investigate who is targeting your organization.

+- **Email template and payload:** The subject line of the emails that were part of the campaign and URLs (and their frequency) present as part of the campaign.

+- **Recommendations:** Recommendations for next steps to remediate messages.

+## Investigate inboxed messages that are part of a email threat campaign

+1. Navigate to the [campaign page](https://security.microsoft.com/campaigns).

+1. Scroll through the list of campaigns in the **Details view**, below the graph.

+1. Select the campaign name you want to investigate. If the campaign has a click count of more than zero, that indicates that a user in your organization clicked on a URL or downloaded a file from the email.

+1. The campaign flyout displays more information about the campaign, the graph displays a timeline of the campaign from campaign start to end date, and the horizontal flow diagram displays the stages of the campaign from its origin, the verdict, and the current location of the messages.

+1. Below the flow diagram, select the **URL clicks** tab to display information regarding the click. Here you can see the user that clicked on a URL, if the user is tagged as a priority account user, the URL itself, and the time of click.

+1. If you want to learn more about the inboxed and clicked messages, select **Explore messages** > **Inboxed messages**. A new tab will open and navigate to Threat Explorer.

+1. In the **details view** of Explorer you can reference **Latest delivery** to determine if a message is still in the inbox or was moved into quarantine by system ZAP. _To get more details about the specific message, select the message. The flyout provides extra information. Upon selecting the **Open email entity page** on the top left of the flyout, a new tab will open and give you further information about the message._

+1. If you would like to take an action and move the messages out of the inbox, you can select the message and then select **Message actions** > **Move to junk folder**. This will ensure your user doesnΓÇÖt continue to interact with the malicious message that could result in a potential breach.

+## Next steps

+To learn more, read, [Campaign Views in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/campaigns).