-description: "Learn about the various types of groups and how to use them with the various collaboration features of Microsoft 365."

-# Email collaboration in Microsoft 365

-Microsoft 365 encourages collaboration through Groups in Outlook, distribution lists (also called distribution groups), shared mailboxes, and public folders. Each of these options has a different purpose, user experience, and feature set. What to use depends on what the user needs to do and which tools your organization provides.

-

-## Summary of collaboration options

-This table explains the various collaboration options available to you.

-|**Collaboration tool**|**Description**|

-|:--|:--|

-|Groups in Outlook <br/> |A shared workspace that works across all applications in Microsoft 365. Includes a shared inbox, calendar, and OneDrive for Business site for storing files. Users can create, find, and join Groups in Outlook right from their email or calendar. New and existing users with an Exchange Online or a Microsoft 365 subscription can use Groups in Outlook. <br/> |

-|Shared mailbox <br/> |A mailbox for select users to read and send email messages and share a common calendar. Shared mailboxes also can serve as a generic email address (such as info@contoso.com or sales@contoso.com) that customers can use to inquire about your company. When the Send As permission is enabled on the shared mailbox, email sent from the mailbox will use the generic address (e.g., sales@contoso.com). <br/> |

-|Distribution list (also called distribution group) <br/> |Used to distribute email messages to two or more people at the same time. Distribution groups are also known as mail-enabled distribution groups. A variant of the distribution group, called the dynamic distribution group, is a mail-enabled Active Directory group object used to send email to a large and evolving group of recipients. The exact recipients are determined by filters and conditions that you specify, such as all members of a particular locale or all full-time employees. <br/><br/> Microsoft 365 Groups in Outlook offer a more powerful solution for collaboration than distribution groups. To learn more, see [Why you should upgrade your distribution lists to groups in Outlook](https://support.microsoft.com/office/7fb3d880-593b-4909-aafa-950dd50ce188) and [Migrate distribution lists to Microsoft 365 Groups](../manage/upgrade-distribution-lists.md). <br/> |

-|Public folder <br/> |Designed for shared access, public folders provide an easy and effective way to collect, organize, and share information with other people in your organization. Public folders organize content in a deep hierarchy that's easy to browse and always visible in the Outlook folder view. A public folder can be mail-enabled and added as a member of the distribution group. Email sent to the distribution group is automatically added to the public folder for archiving or later reference. Public folders also provide simple document sharing when you don't have a SharePoint Online subscription. <br/> |

-

-## Which collaboration tool to use?

-The following table gives you a quick glance at the various types of groups and explains when and how to use them with the various collaboration features.

-

-||**Groups in Outlook**|**Distribution lists**|**Shared mailboxes**|**Public folders**|

-|:--|:--|:--|:--|:--|

-|**Who uses?** <br/> |Users who want a collaboration workspace for their group messages, files, and calendar that is integrated with the services they already use (Outlook Web App, OneDrive for Business) <br/> |Users who need to send email to a group of recipients with a common interest or characteristic. <br/> |Shared mailboxes are a great way to handle customer email questions because several people in your organization can share the responsibility of monitoring the mailbox and responding to queries. Your customer questions get quicker answers, and related emails are all stored in one mailbox. <br/><br/> Delegates working on behalf of a virtual identity, such as support@contoso.com. Delgates can respond to email as that shared mailbox identity. <br/> |With the proper permissions, everyone in your organization can access and search public folders. They are ideal for email archiving or for sharing documents. <br/> |

-|**Ideal group size** <br/> |Any <br/> |Large <br/> |Small <br/> |Large <br/> |

-|**Access** <br/> |Exchange Online and users <br/> |For distribution groups, members must be manually added. For dynamic distribution groups, members are added based on filtering criteria. <br/> |Users can be granted Full Access and/or Send As permissions. If granted Full Access permissions, users must also add the shared mailbox to their Outlook profile to access the shared mailbox. <br/> |Accessible by anyone in your organization <br/> |

-|**Shared calendar?** <br/> |Yes <br/> |No <br/> |Yes <br/> |Yes <br/> |

-|**Email arrives in user's personal Inbox?** <br/> |No. Users can subscribe to a group and then forward all Group messages to their inbox <br/> |Yes. Email arrives in the inbox of all distribution group members. <br/> |No. Email arrives in the Inbox of the shared mailbox. <br/> |No. Email arrives in the public folder. <br/> |

-|**Supported clients** <br/> | Outlook 2016 <br/> Outlook 2013 (forward after subscribing) <br/> Outlook Web App <br/> Outlook 2010 (forward after subscribing) <br/> Outlook 2007 (forward after subscribing) <br/> | Outlook 2016 <br/> Outlook 2013 <br/> Outlook Web App <br/> Outlook 2010 <br/> Outlook 2007 <br/> | Outlook 2016 <br/> Outlook 2013 <br/> Outlook Web App <br/> Outlook 2010 <br/> Outlook 2007 <br/> | Outlook 2016 <br/> Outlook 2013 <br/> Outlook Web App <br/> Outlook 2010 <br/> Outlook 2007 <br/> |

-## Related content

-[Manage distribution groups](/exchange/recipients-in-exchange-online/manage-distribution-groups/manage-distribution-groups)

-

-[Use Microsoft 365 Groups instead of Site Mailboxes](https://support.microsoft.com/office/737d6b1f-67cc-41fe-8db8-f2d09dd1673b)

-

-[Create shared mailboxes in Microsoft 365](create-a-shared-mailbox.md)

-

-[Public folders in Microsoft 365 and Exchange Online](/exchange/collaboration-exo/public-folders/public-folders)

-

- For more information, see [Set-SharingPolicy](/powershell/module/exchange/set-sharingpolicy).

-See [Connect to Exchange Online PowerShell](/powershell/exchange/exchange-online-powershell-v2) for prerequisites and guidance for connecting to Exchange Online PowerShell.

-To perform these steps, you must be using an active Microsoft PowerShell command window that you ran by choosing the ΓÇ£Run as administratorΓÇ¥ option.

-1. In a PowerShell window, load the EXO V2 module by running the following command:

- ```powershell

- Import-Module ExchangeOnlineManagement

- ```

- > [!NOTE]

- > If you've already [installed the EXO V2 module](/powershell/exchange/exchange-online-powershell-v2#install-and-maintain-the-exo-v2-module), the previous command will work as written.

-

-2. The command that you need to run uses the following syntax:

- ```powershell

- Connect-ExchangeOnline -UserPrincipalName <UPN>

- ```

- - _\<UPN\>_ is your account in user principal name format (for example, `john@contoso.com`).

-3. When you are prompted, log on with tenant administrator credentials to the Microsoft 365 tenant that hosts the booking calendar you want to permanently delete.

-4. Once this command is done processing, enter the following command to get a list of the booking mailboxes in your tenant:

-5. Type the following command:

- remove-mailbox [BookingCalendarToDelete]

-6. To verify that the calendar has been deleted, enter the following command:

- - Items matched

- - Escalated items

- - Resolved items

- - Tagged as compliant

- - Tagged as non-compliant

- - Tagged as questionable

- - Items pending review

- - User notified

- - Case created

- - Items matched

- - Escalated items

- - Resolved items

- - Tagged as compliant

- - Tagged as non-compliant

- - Tagged as questionable

- - Items pending review

- - User notified

- - Case created

- - Items matched

- - Escalated items

- - Resolved items

- - Tagged as compliant

- - Tagged as non-compliant

- - Tagged as questionable

- - Items pending review

- - User notified

- - Case created

- - **Email**: Sensitive information types detected in Exchange email messages.

- - **Teams**: Sensitive information types detected in Microsoft Teams channels and chat messages.

- - **Yammer**: Sensitive information types detected in Yammer inboxes, posts, chats, and replies.

- - **Third-party sources**: Sensitive information types detected for activities associated with third-party connectors configured in your organization. To view the breakdown of third-party sources for a specific sensitive information type in the report, hover your mouse over the value for the sensitive information type in the Third-party source column.

- - **Other**: Sensitive information types used for internal system processing. Selecting or deselecting this source for the report won't affect any values.

-|**Field**|**Details**|

-|:--|:--|

-|**Field**|**Details**|

-|:--|:--|

-1. Use the [Connect-ExchangeOnline](/powershell/module/exchange/connect-exchangeonline) cmdlet in the Exchange Online PowerShell V2 module to connect to Exchange Online PowerShell using modern authentication.

-2. Run the following command in PowerShell:

-### Step 1: Install the Exchange Online PowerShell V2 module

-To begin, you'll need the Exchange Online PowerShell module (v2.0.3 or higher) that's available in the PowerShell gallery. For installation instructions, see [Install and maintain the EXO V2 module](/powershell/exchange/exchange-online-powershell-v2#install-and-maintain-the-exo-v2-module).

-To manage disposition reviews and confirm that records have been deleted, you must have sufficient permissions and auditing must be enabled. Also be aware of any [limitations](retention-limits.md#maximum-number-of-items-for-disposition) for disposition.

-Access log can be enabled using [Exchange Online PowerShell V2 module](/powershell/exchange/connect-to-exchange-online-powershell?view=exchange-ps). The *-EnablePortalTrackingLogs* parameter of Set-IrmConfiguration specifies whether to enable the audit logs of accessing the encrypted message portal. Valid values are:

-You can also use search permissions filtering to create logical boundaries (called *compliance boundaries*) within an organization that control the user content locations (such as mailboxes, SharePoint sites, and OneDrive accounts) that specific eDiscovery managers can search. For more information, see [Set up compliance boundaries for eDiscovery investigations](set-up-compliance-boundaries.md).

-

-The following four cmdlets in Security & Compliance PowerShell let you configure and manage search permissions filters:

-

-[New-ComplianceSecurityFilter](#new-compliancesecurityfilter)

-[Get-ComplianceSecurityFilter](#get-compliancesecurityfilter)

-[Set-ComplianceSecurityFilter](#set-compliancesecurityfilter)

-[Remove-ComplianceSecurityFilter](#remove-compliancesecurityfilter)

-Before you can successfully run the script in this section, you have to download and install the Exchange Online PowerShell V2 module. For information, see [About the Exchange Online PowerShell V2 module](/powershell/exchange/exchange-online-powershell-v2#install-and-maintain-the-exo-v2-module).

- $Host.UI.RawUI.WindowTitle = $UserCredential.UserName + " (Exchange Online + Compliance Center)"

-The **New-ComplianceSecurityFilter** is used to create a search permissions filter. Here's the basic syntax for this cmdlet:

-### *FilterName*

-### *Filters*

-The _Filters_ parameter specifies the search criteria for the compliance security filter. You can create three different types of filters:

- |Property name |Example |

- |||

- |Alias |`"Mailbox_Alias -like 'v-'"` |

- |Company |`"Mailbox_Company -eq 'Contoso'"` |

- |CountryOrRegion |`"Mailbox_CountryOrRegion -eq 'United States'"` |

- |Department |`"Mailbox_Department -eq 'Finance'"` |

- |||

-

-

- These two filters are interchangeable. For example, `"Site_Path -like 'https://contoso.sharepoint.com/sites/doctors'"` and `"SiteContent_Path -like 'https://contoso.sharepoint.com/sites/doctors'"` return the same results. For a list of searchable site properties, see [Keyword queries and search conditions for eDiscovery](keyword-queries-and-search-conditions.md#searchable-site-properties) For a more complete list, see [Overview of crawled and managed properties in SharePoint](/SharePoint/technical-reference/crawled-and-managed-properties-overview). Properties marked with a **Yes** in the **Queryable** column can be used to create a site or site content filter.

-Keep the following considerations in mind when configuring the *Filters* parameter for search permissions filters:

-### *Users*

-A *filters list* is a filter that includes a mailbox filter and a site filter separated by a comma. This comma also functions as an **OR** operator. Using a filters list is the only supported method for combining different types of filters. In the following example, notice that a comma separates the **Mailbox** and **Site** filters:

-

-

-

-New-ComplianceSecurityFilter -FilterName NoExecutivesPreview -Users All -Filters "Mailbox_MemberOfGroup -ne '$($DG.DistinguishedName)'"

-

-New-ComplianceSecurityFilter -FilterName DocumentDateRestrictionFilter -Users donh@contoso.com -Filters "SiteContent_LastModifiedTime -ge '01-01-2015' -and SiteContent_LastModifiedTime -le '12-31-2015'"

-

-

-### *FilterName*

-### *Users*

-### *Filters*

- - **Site_** *SearchableSiteProperty*

- - **SiteContent**_*SearchableSiteProperty*

-

- These two filters are interchangeable. For example, `"Site_Path -like 'https://contoso.spoppe.com/sites/doctors*'"` and `"SiteContent_Path -like 'https://contoso.spoppe.com/sites/doctors*'"` return the same results. For a list of searchable site properties, see [Overview of crawled and managed properties in SharePoint](/SharePoint/technical-reference/crawled-and-managed-properties-overview). Properties marked with a **Yes** in the **Queryable** column can be used to create a site or site content filter.

-

-

- For example, you have a permissions filter that allows Bob to perform all search actions on the mailboxes of members of the Workers distribution group. Then Bob runs a search on all mailboxes in the organization with the search query `sender:jerry@adatum.com`. Because the permissions filter and the search query are logically combined by an **AND** operator, the search returns any message sent by jerry@adatum.com to any member of the Workers distribution group.

-

-

-Also, the number of search permissions filters appended to a query depends on the user who is running the search. When a specific user runs a search, the search permissions filters that are applied to the user (which is defined by the *Users* parameter in the filter) are appended to the query. Your organization could have hundreds of search permissions filters, but if more than 100 filters are applied to the same users, then it's likely the 100-condition limit will be exceeded when those users run searches.

-There's one more thing to keep in mind about the condition limit. The number of specific SharePoint sites that are included in the search query or search permissions filters also count against this limit.

-## Maximum number of items for disposition

-|[Apply a default label](sensitivity-labels.md#what-label-policies-can-do) to existing documents | Rolling out to Current Channel: 2208+ <br /><br> Monthly Enterprise Channel: Under review <br /><br> Semi-Annual Enterprise Channel: Under review | Rolling out to 16.63+ | Under review | Under review | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |

-|[Sensitivity bar](#sensitivity-bar) and [display label color](#label-colors) | Preview: Rolling out to [Beta Channel](https://office.com/insider) | Preview: Rolling out to [Beta Channel](https://office.com/insider) | Under review | Under review | Under review |

-For supported apps, sensitivity labels are now displayed in a sensitivity bar, displaying next to the file name on the top window bar. For example:

-Information about the labels and the ability to select or change a label are also integrated into user workflows that includes save and rename, export, share, print, and [convert to PDF](#pdf-support).

-> The Azure Information Protection unified labeling client supports label colors. For labeling built in to Office, label colors are currently supported in preview for Word, Excel, and PowerPoint on Windows and macOS, but not Outlook or Office for the web. For more information, see the tables in the [capabilities](#support-for-sensitivity-label-capabilities-in-apps) section on this page.

-Sublabels are simply a way to present labels to users in logical groups. Sublabels don't inherit any settings from their parent label. When you publish a sublabel for a user, that user can then apply that sublabel to content but can't apply just the parent label.

-Don't choose a parent label as the default label, or configure a parent label to be automatically applied (or recommended). If you do, the parent label won't be applied to content.

-The requirements for installing and using the EXO V2 module are described in [Install and maintain the EXO V2 module](/powershell/exchange/exchange-online-powershell-v2#install-and-maintain-the-exo-v2-module).

-To connect Exchange Online PowerShell to a specific geo location, the *ConnectionUri* parameter is different than the regular connection instructions. The rest of the commands and values are the same.

-1. In a Windows PowerShell window, load the EXO V2 module by running the following command:

-For more informaion, see [group-based licensing in Azure AD](/azure/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal).

- - [Exchange Online PowerShell V2](/powershell/exchange/exchange-online-powershell-v2#install-and-maintain-the-exchange-online-powershell-v2-module)

-[Security roadmap](../security/office-365-security/security-roadmap.md)

-Microsoft Defender for Endpoint can be configured to send threat signals to be used in app protection policies (APP, also known as MAM). With this capability, you can use Microsoft Defender for Endpoint to protect managed apps.

-## Configure privacy controls

->[!IMPORTANT]

->Privacy controls on Microsoft Defender for Endpoint on MAM are in public preview. The following information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

->**If you want to try out this feature or provide feedback, please reach out to us at mdatpmobile@microsoft.com.**

-4. In Settings page, under the General Configuration Settings add **DefenderExcludeURLInReport**, **DefenderExcludeAppInReport** as the keys and value as true.

->[!IMPORTANT]

->Optional Permissions on Microsoft Defender for Endpoint is in public preview. The following information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

->**If you want to try out this feature or provide feedback, please reach out to us at mdatpmobile@microsoft.com.**

-4. In Settings page, select **Use configuration designer** and add **DefenderOptionalVPN** or **DefenderOptionalAccessibility** or **both** as the key and value type as Boolean.

- - Choose **Work Profile only** as Profile Type.

- - Click **Select App**, choose **Microsoft Defender ATP**, select **OK** and then **Next**.

- 1. In the **Settings** page, go to the **Configuration settings** section and choose **'Use configuration designer'** in Configuration settings format.

- The app configuration policy for Defender for Endpoint autogranting the storage permission is now assigned to the selected user group.

- > [!div class="mx-imgBorder"]

- > :::image type="content" source="images/android-review-create.png" alt-text="The Review + create tab in the Create app configuration policy page" lightbox="images/android-review-create.png":::

-10. Select **Microsoft Defender ATP** app in the list \> **Properties** \>

-Microsoft Defender for Endpoint on Android enables Privacy Controls for both the Admins and the End Users. This includes the controls for enrolled (MDM) as well as unenrolled (MAM) devices (in preview). Admins can configure the privacy in the alert report while End Users can configure the information shared to their organization. For more information, see [privacy controls(MDM)](/microsoft-365/security/defender-endpoint/android-configure#privacy-controls) and [privacy controls (MAM)](/microsoft-365/security/defender-endpoint/android-configure-mam#configure-privacy-controls).

-Built-in protection is a set of default settings that are rolling out to help ensure your devices are protected. These default settings are designed to protect devices from ransomware and other threats. Initially, built-in protection will include turning [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) on for your tenant, with other default settings coming soon.

- - `\\stroageaccount.file.core.windows.net\share**.VHD`

- - `\\stroageaccount.file.core.windows.net\share**.VHDX`

-|`%LOCALAPPDATA%`|`C:\Windows\System32\config\systemprofile\AppData\Local`|

-real_time_protection_enabled : false

-real_time_protection_available : true

-|onboardingstatus|String|Status of machine onboarding. Possible values are: "onboarded" and "offboarded".|

-To use the script, download it to an installation directory where you have also placed the installation and onboarding packages (see [Configure server endpoints](configure-server-endpoints.md).

- - **The email should have been categorized as**: Select **Phish**, **Malware**, or **Spam**. If you're not sure, use your best judgement.

- > [!NOTE]

- > File submissions are not available in clouds that do not allow for data to leave the environment. **Browse files** is greyed out.

- - **The email should have been categorized as**: Select **Phish** or **Malware**. If you're not sure, use your best judgement.

- > [!NOTE]

- > URL submissions are not available in clouds that do not allow for data to leave the environment. **URL** is greyed out.

- - **The email should have been categorized as**: Select **Phish** or **Malware**. If you're not sure, use your best judgement.

- - **Tags**: The default value is **All** or select a [user tag](user-tags.md) from the drop down list.

- - **Tags**: The default value is **All** or select a [user tag](user-tags.md) from the drop down list.

- - To group the entries, click  **Group** and select one of the following values from the drop down list:

- - **Tags**: The default value is **All** or select a [user tag](user-tags.md) from the drop down list.

- - **Tags**: The default value is **All** or select a [user tag](user-tags.md) from the drop down list.

- - CSH

-## Secure Microsoft 365 like a cybersecurity pro

-Your Microsoft 365 subscription comes with a powerful set of security capabilities that you can use to protect your data and your users. Use the [Microsoft 365 security roadmap - Top priorities for the first 30 days, 90 days, and beyond](security-roadmap.md) to implement Microsoft recommended best practices for securing your Microsoft 365 tenant.

-## Secure Microsoft 365 like a cybersecurity pro

-Your Microsoft 365 subscription comes with a powerful set of security capabilities that you can use to protect your data and your users. Use the [Microsoft 365 security roadmap - Top priorities for the first 30 days, 90 days, and beyond](security-roadmap.md) to implement Microsoft recommended best practices for securing your Microsoft 365 tenant.

-The Tenant Allow/Block list is available in the the Microsoft 365 Defender portal at <https://security.microsoft.com> \> **Policies & rules** \> **Threat Policies** \> **Tenant Allow/Block Lists** in the **Rules** section. To go directly to the **Tenant Allow/Block Lists** page, use <https://security.microsoft.com/tenantAllowBlockList>.

- - If the message was blocked by by [domain or user impersonation protection](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) in Defender for Office 365, an allow entry is not created in the Tenant Allow/Block List. Instead, the domain or sender is added to the **Trusted senders and domains section** in the [anti-phishing policy](configure-mdo-anti-phishing-policies.md#use-the-microsoft-365-defender-portal-to-modify-anti-phishing-policies) that detected the message.

- - If the message was not blocked, and allow entry for the sender is not created, so it won't on the **Spoofed senders** tab or the **Domains & addresses** tab.

-After you add an allow entry through the Submissions portal or a block entry in the Tenant Allow/Block List, the entry should start working immediately.

-These recommendations are intended for enterprise architects and IT professionals who are familiar with Microsoft 365 cloud productivity and security services, which includes Azure AD (identity), Microsoft Intune (device management), and Microsoft Purview Information Protection (data protection).

- Recommendations that apply to starting point security for your tenant.

- Recommendations that include logging, data governance, admin access, and threat protection.

-|Use the Microsoft Defender Vulnerability Management dashboard (or the new [Security dashboard](security-dashboard.md) <p> View information about recent or current threats|One of the following: <ul><li>**Global Administrator**</li><li>**Security Administrator**</li><li>**Security Reader**</li></ul> <p> These roles can be assigned in either Azure Active Directory (<https://portal.azure.com>) or the Microsoft 365 admin center (<https://admin.microsoft.com>).|

- - NOCSH

- - o365_security_incident_response

- - M365-security-compliance

- - MET150

-description: This solution tells you what the most common cybersecurity attacks might look like in Microsoft 365 and how to respond to them

- - seo-marvel-apr2020

-# Security Incident Response

-**Applies to**

- **Summary:** This solution tells you what the indicators are for the most common cybersecurity attacks in Office 365, how to positively confirm any given attack, and how to respond to it.

-## Learn how to respond to cyberattacks

-Not all cyberattacks can be thwarted. Attackers are constantly looking for new weaknesses in your defensive strategy or they are exploiting old ones. Knowing how to recognize an attack allows you to respond to it faster, which shortens the duration of the security incident.

-This series of article helps you understand what a particular type of attack might look like in Microsoft 365 and gives you steps you can take to respond. They are quick entry points to understanding:

-Check back here monthly as more articles will be added over time.

-## Detect and remediate articles

-## Incident response articles

-## Secure Microsoft 365 like a cybersecurity pro

-Your Microsoft 365 subscription comes with a powerful set of security capabilities that you can use to protect your data and your users. Use the [Microsoft 365 security roadmap - Top priorities for the first 30 days, 90 days, and beyond](security-roadmap.md) to implement Microsoft recommended best practices for securing your Microsoft 365 organization.

- - MET150

- - MOE150

- - M365-security-compliance

- - m365initiative-defender-office365

-description: Security in Office 365, from EOP to Defender for Office 365 Plans 1 and 2, Standard vs. Strict security configurations, and more. Understand what you have and learn how to secure your properties.

-# Office 365 security

-**Applies to**

-This article will introduce you to your new security properties in the Cloud. Whether you're part of a Security Operations Center, you're a Security Administrator new to the space, or you want a refresher, let's get started.

-> [!CAUTION]

-> If you're using **Outlook.com**, **Microsoft 365 Family**, or **Microsoft 365 Personal**, and need *Safe Links* or *Safe Attachments* info, ***click this link***: [Advanced Outlook.com security for Microsoft 365 subscribers](https://support.microsoft.com/office/advanced-outlook-com-security-for-office-365-subscribers-882d2243-eab9-4545-a58a-b36fee4a46e2).

-## Office 365 security spelled out

-Every Office 365 subscription comes with security capabilities. The goals and actions that you can take depend on the focus of these different subscriptions. In Office 365 security, there are three main security services (or products) tied to your subscription type:

-1. Exchange Online Protection (EOP)

-1. Microsoft Defender for Office 365 Plan 1 (Defender for Office P1)

-1. Microsoft Defender for Office 365 Plan 2 (Defender for Office P2)

-> [!NOTE]

-> If you bought your subscription and need to roll out security features *right now*, skip to the steps in the [Protect Against Threats](protect-against-threats.md) article. If you're new to your subscription and would like to know your license before you begin, browse Billing > Your Products in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/#/homepage).

-Office 365 security builds on the core protections offered by EOP. EOP is present in any subscription where Exchange Online mailboxes can be found (remember, all the security products discussed here are Cloud-based).

-You may be accustomed to seeing these three components discussed in this way:

-|EOP|Microsoft Defender for Office 365 P1|Microsoft Defender for Office 365 P2|

-||||

-|Prevents broad, volume-based, known attacks.|Protects email and collaboration from zero-day malware, phish, and business email compromise.|Adds post-breach investigation, hunting, and response, as well as automation, and simulation (for training).|

-But in terms of architecture, let's start by thinking of each piece as cumulative layers of security, each with a security emphasis. More like this:

-<!--:::image type="content" source="../../media/tp-EOPATPStack.PNG" alt-text="Placeholder graphic.":::-->

-Though each of these services emphasizes a goal from among Protect, Detect, Investigate, and Respond, ***all*** the services can carry out ***any*** of the goals of protecting, detecting, investigating, and responding.

-The core of Office 365 security is EOP protection. Microsoft Defender for Office 365 P1 contains EOP in it. Defender for Office 365 P2 contains P1 and EOP. The structure is cumulative. That's why, when configuring this product, you should start with EOP and work to Defender for Office 365.

-Though email authentication configuration takes place in public DNS, it's important to configure this feature to help defend against spoofing. *If you have EOP,* ***you should [configure email authentication](email-validation-and-authentication.md)***.

-If you have an Office 365 E3, or below, you have EOP, but with the option to buy standalone Defender for Office 365 P1 through upgrade. If you have Office 365 E5, you already have Defender for Office 365 P2.

-> [!TIP]

-> If your subscription is neither Office 365 E3 or E5, you can still check to see if you have the option to upgrade to Microsoft Defender for Office 365 P1. If you're interested, [this webpage](https://www.microsoft.com/microsoft-365/exchange/advance-threat-protection#coreui-contentrichblock-x07wids) lists subscriptions eligible for the Microsoft Defender for Office 365 P1 upgrade (check the end of the page for the fine-print).

-## The Office 365 security ladder from EOP to Microsoft Defender for Office 365

-

-> [!IMPORTANT]

-> Learn the details on these pages: [Exchange Online Protection](exchange-online-protection-overview.md), and [Defender for Office 365](defender-for-office-365.md).

-What makes adding Microsoft Defender for Office 365 plans an advantage to pure EOP threat management can be difficult to tell at first glance. To help sort out if an upgrade path is right for your organization, let's look at the capabilities of each product when it comes to:

-starting with **Exchange Online Protection**:

-<p>

-|Prevent/Detect|Investigate|Respond|

-||||

-|Technologies include:<ul><li>spam</li><li>phish</li><li>malware</li><li>bulk mail</li><li>spoof intelligence</li><li>impersonation detection</li><li>Admin Quarantine</li><li>Admin and user submissions of False Positives and False Negatives</li><li>Allow/Block for URLs and Files</li><li>Reports</li></ul>|<li>Audit log search</li><li>Message Trace</li>|<li>Zero-hour auto purge (ZAP)</li><li>Refinement and testing of Allow and Block lists</li>|

-If you want to dig in to EOP, **[jump to this article](exchange-online-protection-overview.md)**.

-Because these products are cumulative, if you evaluate Microsoft Defender for Office 365 P1 and decide to subscribe to it, you'll add these abilities.

-Gains with **Defender for Office 365, Plan 1** (to date):

-<p>

-|Prevent/Detect|Investigate|Respond|

-||||

-|Technologies include everything in EOP plus:<ul><li>Safe attachments</li><li>Safe links<li>Microsoft Defender for Office 365 protection for workloads (ex. SharePoint Online, Teams, OneDrive for Business)</li><li>Time-of-click protection in email, Office clients, and Teams</li><li>anti-phishing in Defender for Office 365</li><li>User and domain impersonation protection</li><li>Alerts, and SIEM integration API for alerts</li>|<li>SIEM integration API for detections</li><li>**Real-time detections tool**</li><li>URL trace</li>|<li>Same</li></ul>

-So, Microsoft Defender for Office 365 P1 expands on the ***prevention*** side of the house, and adds extra forms of ***detection***.

-Microsoft Defender for Office 365 P1 also adds **Real-time detections** for investigations. This threat hunting tool's name is in bold because having it is clear means of *knowing* you have Defender for Office 365 P1. It doesn't appear in Defender for Office 365 P2.

-Gains with **Defender for Office 365, Plan 2** (to date):

-<p>

-|Prevent/Detect|Investigate|Respond|

-||||

-|Technologies include everything in EOP, and Microsoft Defender for Office 365 P1 plus:<ul><li>Same</li>|<li>**Threat Explorer**</li><li>Threat Trackers</li><li>Campaign views</li>|<li>Automated Investigation and Response (AIR)</li><li>AIR from Threat Explorer</li><li>AIR for compromised users</li><li>SIEM Integration API for Automated Investigations</li>

-So, Microsoft Defender for Office 365 P2 expands on the ***investigation and response*** side of the house, and adds a new hunting strength. Automation.

-In Microsoft Defender for Office 365 P2, the primary hunting tool is called **Threat Explorer** rather than Real-time detections. If you see Threat Explorer when you navigate to the Defender for Cloud, you're in Microsoft Defender for Office 365 P2.

-To get into the details of Microsoft Defender for Office 365 P1 and P2, **[jump to this article](defender-for-office-365.md)**.

-> [!TIP]

-> EOP and Microsoft Defender for Office 365 are also different when it comes to end-users. In EOP and Defender for Office 365 P1, the focus is *awareness*, and so those two services include the *Report message Outlook add-in* so users can report emails they find suspicious, for further analysis. <p> In Defender for Office 365 P2 (which contains everything in EOP and P1), the focus shifts to *further training* for end-users, and so the Security Operations Center has access to a powerful *Threat Simulator* tool, and the end-user metrics it provides.

-## Microsoft Defender for Office 365 Plan 1 vs. Plan 2 cheat sheet

-This quick-reference will help you understand what capabilities come with each Microsoft Defender for Office 365 subscription. When combined with your knowledge of EOP features, it can help business decision makers determine what Microsoft Defender for Office 365 is best for their needs.

-|Defender for Office 365 Plan 1|Defender for Office 365 Plan 2|

-|||

-|Configuration, protection, and detection capabilities: <ul><li>[Safe Attachments](safe-attachments.md)</li><li>[Safe Links](safe-links.md)</li><li>[Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](mdo-for-spo-odb-and-teams.md)</li><li>[Anti-phishing protection in Defender for Office 365](set-up-anti-phishing-policies.md#exclusive-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)</li><li>[Real-time detections](threat-explorer.md)</li></ul>|Defender for Office 365 Plan 1 capabilities <p> plus <p> Automation, investigation, remediation, and education capabilities: <ul><li>[Threat Trackers](threat-trackers.md)</li><li>[Threat Explorer](threat-explorer.md)</li><li>[Automated investigation and response](office-365-air.md)</li><li>[Attack Simulator](attack-simulator.md)</li></ul>|

-> [!TIP]

-> ***Insider tip***. You can use the Microsoft Docs table of contents to learn about EOP and Microsoft Defender for Office 365. Navigate back to this page, [Office 365 Security overview](index.yml), and you'll notice that table of contents organization in the side-bar. It begins with Deployment (including migration) and then continues into prevention, detection, investigation, and response. <p> This structure is divided so that **Security Administration** topics are followed by **Security Operations** topics. If you're a new member of either job role, use the link in this tip, and your knowledge of the table of contents, to help learn the space. Remember to use *feedback links* and *rate articles* as you go. Feedback helps us improve what we offer you.

-## Where to go next

-If you're a Security Admin, you may need to configure DKIM or DMARC for your mail. You may want to roll out 'Strict' security presets for your priority users, or look for what's new in the product. Or if you're with Security Ops, you may want to leverage Real-time detections or Threat Explorer to investigate and respond, or train end-user detection with Attack Simulator. Either way, here are some additional recommendations for what to look at next.

-[Email Authentication, including SPF, DKIM, and DMARC (with links to setup of all three)](email-validation-and-authentication.md)

-[See the specific recommended 'golden' configs](recommended-settings-for-eop-and-office365.md) and [use their recommended presets to configure security policies quickly](preset-security-policies.md)

-Catch up on [what's new in Microsoft Defender for Office 365 (including EOP developments)](whats-new-in-defender-for-office-365.md)

-[Use Threat Explorer or Real-time detections](threat-explorer.md)

-Use [Attack Simulator in Microsoft Defender for Office 365](attack-simulator.md)

- - NOCSH

- - seo-marvel-apr2020

-description: In this article, you'll learn about reports and troubleshooting tools available to Microsoft Exchange Online Protection (EOP) admins.

-# Reporting and message trace in EOP

-**Applies to**

-In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, EOP offers many different reports that can help you determine the overall status and health of your organization. There are also tools to help you troubleshoot specific events (such as a message not arriving to its intended recipients), and auditing reports to aid with compliance requirements.

-## Usage reports

-## Security reports in the Microsoft 365 defender portal

-These enhanced reports provide an interactive reporting experience for EOP admins, which includes summary information, and the ability to drill down for more details.

-## Mail flow insights in the Security & Compliance Center

-For more information, see [Mail flow insights in the Security & Compliance Center](mail-flow-insights-v2.md).

-## Custom reports using Microsoft Graph

-Programmatically create reports that are available in the admin center by using Microsoft Graph. For more information, see [Overview of Microsoft Graph](/graph/overview) and [Working with Office 365 usage reports in Microsoft Graph](/graph/api/resources/report).

-## Message trace

-Follows email messages as they travel through EOP. You can determine if an email message was received, rejected, deferred, or delivered by the service. It also shows what actions were taken on the message before it reached its final status.

-You can use this information to efficiently answer your user's questions, troubleshoot mail flow issues, validate policy changes, and alleviates the need to contact technical support for assistance.

-See [Message trace in the Microsoft 365 Defender portal](message-trace-scc.md).

-## Audit logging

-Tracks specific changes made by admins to your organization. These reports can help you troubleshoot configuration issues or find the cause of security or compliance-related problems. See [Auditing reports in Exchange Online](/exchange/security-and-compliance/exchange-auditing-reports/exchange-auditing-reports).

-## Reporting and message trace data availability and latency

-The following table describes when EOP reporting and message trace data is available and for how long.

-|Report type|Data available for (look back period)|Latency|

-||||

-|Mail protection summary reports|90 days|Message data aggregation is mostly complete within 24-48 hours. Some minor incremental aggregated changes may occur for up to 5 days.|

-|Mail protection detail reports|90 days|For detail data that's less than 7 days old, data should appear within 24 hours but may not be complete until 48 hours. Some minor incremental changes may occur for up to 5 days. <p> To view detail reports for messages that are greater than 7 days old, results may take up to a few hours.|

-|Message trace data|90 days|When you run a message trace for messages that are less than 7 days old, the messages should appear within 5-30 minutes.<p> When you run a message trace for messages that are greater than 7 days old, results may take up to a few hours.|

-> [!NOTE]

-> Data availability and latency is the same whether requested via the admin center or remote PowerShell.

- - NOCSH

- - MET150

- - MOE150

- - M365-security-compliance

-description: Learn about the smart reports and insights, and how to use them to view and explore data and take quick actions.

-# Smart reports and insights in the Security & Compliance Center

-**Applies to**

-Security teams can use the smart reports and insights in the Security & Compliance Center to monitor the health and security of their organizations. This information is presented in the **Dashboard** at <https://protection.office.com/insightdashboard>:

-The smart reports and insights on the **Dashboard** have the following capabilities:

-For example, if users in your organization are suddenly reporting a high number of email messages as spam, you should verify the settings in your anti-spam policies.

-## Types of reports in the Security & Compliance Center

-The following table list the reports that are available in the **Dashboard**:

-|Type of information|How to get there|Where to go to learn more|

-||||

-|**All up** <p> Top insights and recommendations, and links to available security reports and compliance reports.|<https://protection.office.com/insightdashboard>|[Reports in the Security & Compliance Center](../../compliance/reports-in-security-and-compliance.md)|

-|**Email & collaboration reports** <p> Threat detections, malware trends, top targeted users, details about sent and received email messages, and more.|<https://security.microsoft.com/emailandcollabreport>|[View email security reports](view-email-security-reports.md) <p> [View reports for Defender for Office 365](view-reports-for-mdo.md)|

-|**Explorer** (also referred to as Threat explorer) or **Real-time detections** <p> Suspected malware detected in email and files in Microsoft 365.|<https://security.microsoft.com/threatexplorer> <p> <https://security.microsoft.com/realtimereports>|[Threat Explorer (or real-time detections)](threat-explorer.md)|

-## Related topics

-[Microsoft 365 Defender portal](../defender/microsoft-365-defender-portal.md)

-[Protect against threats in Office 365](protect-against-threats.md)

-## Secure Microsoft 365 like a cybersecurity pro

-Your Microsoft 365 subscription comes with a powerful set of security capabilities that you can use to protect your data and your users. Use the [Microsoft 365 security roadmap - Top priorities for the first 30 days, 90 days, and beyond](security-roadmap.md) to implement Microsoft recommended best practices for securing your Microsoft 365 tenant.

- - NOCSH

- - MET150

- - MOE150

- - M365-security-compliance

- - seo-marvel-apr2020

-description: Use the new Security Dashboard to review Office 365 Threat Protection Status, and view and act on security alerts.

-# Security dashboard in the Security & Compliance Center

-## Basic functions and how to open Security dashboard

-The Security & Compliance Center at <https://protection.office.com> enables your organization to manage data protection and compliance. Assuming you have the necessary permissions, the Security Dashboard enables you to review your Threat Protection Status, as well as view and act on security alerts.

-Watch the video to get an overview, and then read this article to learn more.

-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE1VV3o]

-Depending on what your organization's subscription includes, the Security Dashboard includes several widgets, such as Threat Management Summary, Threat Protection Status, Global Weekly Threat Detections, Malware, and more, as described in the following sections.

-To view the Security Dashboard in the Security & Compliance Center, go to go to **Threat management** \> **Dashboard**. To go directly to the Security dashboard, use <https://protection.office.com/searchandinvestigation/dashboard>.

-> [!NOTE]

-> You must be a global administrator, a security administrator, or a security reader to view the Security Dashboard. Some widgets require additional permissions to view. To learn more, see [Permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md)[.

-## Threat Management Summary

-The Threat Management Summary widget tells you at a glance how your organization was protected from threats over the past seven (7) days.

-The information you'll see in the Threat Management Summary depends on what your subscription includes. The following table describes what information is included for Office 365 E3 and Office 365 E5.

-|Office 365 E3|Office 365 E5|

-|||

-|Malware messages blocked<br>Phishing messages blocked<br>Messages reported by users<br><br><br><br>|Malware messages blocked<br>Phishing messages blocked<br>Messages reported by users<br>Zero-day malware blocked<br>Advanced phishing messages detected<br>Malicious URLs blocked|

-To view or access the Threat Management Summary widget, you must have permissions to view Defender for Office 365 reports. To learn more, see [What permissions are needed to view the Defender for Office 365 reports?](view-reports-for-mdo.md#what-permissions-are-needed-to-view-the-defender-for-office-365-reports).

-## Threat Protection Status

-The Threat Protection Status widget shows threat protection effectiveness with a trending and detailed view of phish and malware.

-The details depend on whether your Microsoft 365 subscription includes [Exchange Online Protection](exchange-online-protection-overview.md) (EOP) with or without [Microsoft Defender for Office 365](defender-for-office-365.md).

-|If your subscription includes...|You'll see these details|

-|||

-|EOP but not Microsoft Defender for Office 365|Malicious email that was detected and blocked by EOP.<p> See [Threat Protection Status report (EOP)](view-email-security-reports.md#threat-protection-status-report).|

-|Microsoft Defender for Office 365|Malicious content and malicious email detected and blocked by EOP and Defender for Office 365 <p> Aggregated count of unique email messages with malicious content blocked by the anti-malware engine, [zero-hour auto purge](zero-hour-auto-purge.md), and Defender for Office 365 features (including [Safe Links](safe-links.md), [Safe Attachments](safe-attachments.md), and [Anti-phishing in Defender for Office 365](set-up-anti-phishing-policies.md#exclusive-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)). <p> See [Threat protection status report](view-reports-for-mdo.md#threat-protection-status-report).|

-To view or access the Threat Protection Status widget, you must have permissions to view Defender for Office 365 reports. To learn more, see [What permissions are needed to view the Defender for Office 365 reports?](view-reports-for-mdo.md#what-permissions-are-needed-to-view-the-defender-for-office-365-reports)

-## Global Weekly Threat Detections

-The Global Weekly Threat Detections widget shows how many threats were detected in email messages over the past seven (7) days.

-The metrics are calculated as described in the following table:

-|Metric|How it's calculated|

-|||

-|Messages scanned|Number of email messages scanned multiplied by the number of recipients|

-|Threats stopped|Number of email messages identified as containing malware multiplied by the number of recipients|

-|Blocked by [Defender for Office 365](defender-for-office-365.md)|Number of email messages blocked by Defender for Office 365 multiplied by the number of recipients|

-|Removed after delivery|Number of messages removed by [zero-hour auto purge (ZAP)](zero-hour-auto-purge.md) multiplied by the number of recipients|

-## Malware

-Malware widgets show details about malware trends and malware family types over the past seven (7) days.

-## Insights

-Insights not only surface key issues you should review, they also include recommendations and actions to consider.

-For example, you might see that phishing email messages are being delivered because some users have disabled their junk mail options. To learn more about how insights work, see [Reports and insights in the Security & Compliance Center](reports-and-insights-in-security-and-compliance.md).

-## Threat investigation and response

-If your organization's subscription includes [Microsoft Defender for Office 365 Plan 2](office-365-ti.md), your Security Dashboard has a section that includes advanced threat investigation and response tools. These tools include [automated investigation and response capabilities](automated-investigation-response-office.md). Automated investigation and response can be helpful in scenarios such as [addressing compromised user accounts quickly](address-compromised-users-quickly.md).

-To learn more, see [Get started using Automated investigation and response (AIR) in Office 365](office-365-air.md).

-## Trends

-Near the bottom of the Security Dashboard is a **Trends** section, which summarizes email flow trends for your organization. Reports provide information about email categorized as spam, malware, phishing attempts, and good email. Click a tile to view more detailed information in the report.

-And, if your organization's subscription includes [Defender for Office 365 Plan 2](office-365-ti.md), you will also have a **Recent threat management alerts** report in this section that enables your security team to view and take action on high-priority security alerts.

-To view or access the Sent and Received Email widget, you must have permissions to view Defender for Office 365 reports. To learn more, see [What permissions are needed to view the Defender for Office 365 reports?](view-reports-for-mdo.md#what-permissions-are-needed-to-view-the-defender-for-office-365-reports).

-To view or access the Recent Threat Management Alerts widget, you must have permissions to view alerts. To learn more, see [RBAC permissions required to view alerts](../../compliance/alert-policies.md#rbac-permissions-required-to-view-alerts).

-## Related articles

-[View email security reports in the Security & Compliance Center](view-email-security-reports.md)

-[View reports for Microsoft Defender for Office 365](view-reports-for-mdo.md)

-[Defender for Office 365](defender-for-office-365.md)

-[Office 365 Threat investigation and response](office-365-ti.md)

- - NOCSH

- - Ent_O365

- - Strat_O365_IP

- - M365-security-compliance

- - MET150

-description: Top recommendations from Microsoft's cybersecurity team for implementing security capabilities to protect your Microsoft 365 environment.

-# Security roadmap - Top priorities for the first 30 days, 90 days, and beyond

-This article includes top recommendations from Microsoft's cybersecurity team for implementing security capabilities to protect your Microsoft 365 environment. This article is adapted from a Microsoft Ignite session ΓÇö [Secure Microsoft 365 like a cybersecurity pro: Top priorities for the first 30 days, 90 days, and beyond](https://www.youtube.com/watch?v=luignzNyR-o). This session was developed and presented by Mark Simos and Matt Kemelhar, Enterprise Cybersecurity Architects.

-In this article:

-## Roadmap outcomes

-<a name="Roadmap"> </a>

-These roadmap recommendations are staged across three phases in a logical order with the following goals.

-|Time frame|Outcomes|

-|||

-|30 days|Rapid configuration: <ul><li>Basic admin protections.</li><li>Logging and analytics.</li><li>Basic identity protections.</li></ul> <p> Tenant configuration. <p> Prepare stakeholders.|

-|90 days|Advanced protections: <ul><li>Admin accounts.</li><li>Data and user accounts.</li></ul> <p> Visibility into compliance, threat, and user needs. <p> Adapt and implement default policies and protections.|

-|Beyond|Adjust and refine key policies and controls. <p> Extend protections to on-premises dependencies. <p> Integrate with business and security processes (legal, insider threat, etc.).|

-## 30 days ΓÇö powerful quick wins

-<a name="Thirdaydays"> </a>

-These tasks can be accomplished quickly and have low impact to users.

-|Area|Tasks|

-|||

-|Security management|<ul><li>Check Secure Score and take note of your current score (<https://security.microsoft.com/securescore>).</li><li>Turn on audit logging for Office 365. See [Search the audit log](../../compliance/search-the-audit-log-in-security-and-compliance.md).</li><li>[Configure Microsoft 365 for increased security](tenant-wide-setup-for-increased-security.md).</li><li>Regularly review dashboards and reports in the Microsoft 365 Defender portal and Defender for Cloud Apps.</li></ul>|

-|Threat protection|[Connect Microsoft 365 to Microsoft Defender for Cloud Apps](/cloud-app-security/connect-office-365-to-microsoft-cloud-app-security) to start monitoring using the default threat detection policies for anomalous behaviors. It takes seven days to build a baseline for anomaly detection. <p> Implement protection for admin accounts:<ul><li>Use dedicated admin accounts for admin activity.</li><li>Enforce multi-factor authentication (MFA) for admin accounts.</li><li>Use a [highly secure Windows device](/windows-hardware/design/device-experiences/oem-highly-secure) for admin activity.</li></ul>|

-|Identity and access management|<ul><li>[Enable Azure Active Directory Identity Protection](/azure/active-directory/active-directory-identityprotection-enable).</li><li>For federated identity environments, enforce account security (password length, age, complexity, etc.).</li></ul>|

-|Information protection|Review example information protection recommendations. Information protection requires coordination across your organization. Get started with these resources:<ul><li>[Office 365 Information Protection for GDPR](/compliance/regulatory/gdpr)</li><li>[Configure Teams with three tiers of protection](../../solutions/configure-teams-three-tiers-protection.md) (includes sharing, classification, Microsoft Purview data loss prevention, and Azure Information Protection)</li></ul>|

-## 90 days ΓÇö enhanced protections

-<a name="Ninetydays"> </a>

-These tasks take a bit more time to plan and implement but greatly increase your security posture.

-|Area|Task|

-|||

-|Security management|<ul><li>Check Secure Score for recommended actions for your environment (<https://security.microsoft.com/securescore>).</li><li>Continue to regularly review dashboards and reports in the Microsoft 365 Defender portal, Defender for Cloud Apps, and SIEM tools.</li><li>Look for and implement software updates.</li><li>Conduct attack simulations for spear-phishing, password-spray, and brute-force password attacks using [Attack simulation training](attack-simulation-training.md) (included with [Office 365 Threat Intelligence](office-365-ti.md).</li><li>Look for sharing risk by reviewing the built-in reports in Defender for Cloud Apps (on the Investigate tab).</li><li>Check [Compliance Manager](../../compliance/compliance-manager.md) to review status for regulations that apply to your organization (such as GDPR, NIST 800-171).</li></ul>|

-|Threat protection|Implement enhanced protections for admin accounts: <ul><li>Configure [Privileged Access Workstations](/security/compass/privileged-access-devices) (PAWs) for admin activity.</li><li>Configure [Azure AD Privileged Identity Management](/azure/active-directory/active-directory-privileged-identity-management-configure).</li><li>Configure a security information and event management (SIEM) tool to collect logging data from Office 365, Defender for Cloud Apps, and other services, including AD FS. The audit log stores data for only 90 days. Capturing this data in SIEM tool allows you to store data for a longer period.</li></ul>|

-|Identity and access management|<ul><li>Enable and enforce MFA for all users.</li><li>Implement a set of [conditional access and related policies](microsoft-365-policies-configurations.md).</li></ul>|

-|Information protection| Adapt and implement information protection policies. These resources include examples: <ul><li>[Office 365 Information Protection for GDPR](/compliance/regulatory/gdpr)</li><li>[Configure Teams with three tiers of protection](../../solutions/configure-teams-three-tiers-protection.md)</li></ul> <p> Use data loss prevention policies and monitoring tools in Microsoft Purview for data stored in Microsoft 365 (instead of Defender for Cloud Apps). <p> Use Defender for Cloud Apps with Microsoft 365 for advanced alerting features (other than data loss prevention).|

-## Beyond

-<a name="Beyond"> </a>

-These are important security measures that build on previous work.

-|Area|Task|

-|||

-|Security management|<ul><li>Continue planning next actions by using Secure Score (<https://security.microsoft.com/securescore>).</li><li>Continue to regularly review dashboards and reports in the Microsoft 365 Defender portal, Defender for Cloud Apps, and SIEM tools.</li><li>Continue to look for and implement software updates.</li><li>Integrate eDiscovery into your legal and threat response processes.</li></ul>|

-|Threat protection|<ul><li>Implement [Secure Privileged Access](/windows-server/identity/securing-privileged-access/securing-privileged-access) (SPA) for identity components on premises (AD, AD FS).</li><li>Use Defender for Cloud Apps to monitor for insider threats.</li><li>Discover shadow IT SaaS usage by using Defender for Cloud Apps.</li></ul>|

-|Identity and access management|<ul><li>Refine policies and operational processes.</li><li>Use Azure AD Identity Protection to identify insider threats.</li></ul>|

-|Information protection|Refine information protection policies: <ul><li>Microsoft 365 and Office 365 sensitivity labels and data loss prevention (DLP), or Azure Information Protection.</li><li>Defender for Cloud Apps policies and alerts.</li></ul>|

-Also see: [How to mitigate rapid cyberattacks such as Petya and WannaCrypt](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/21/how-to-mitigate-rapid-cyberattacks-such-as-petya-and-wannacrypt/).

-## Check Office 365 Secure Score

-Office 365 Secure Score analyzes your organization's security based on your regular activities and security settings and assigns a score. Begin by taking note of your current score. Adjusting some tenant-wide settings will increase your score. The goal is not to achieve the max score, but to be aware of opportunities to protect your environment that do not negatively affect productivity for your users. See [Microsoft Secure Score](../defender/microsoft-secure-score.md).

-description: Admins can learn how identify a custom mailbox (also known as a user submissions mailbox) to collect spam and phishing messages that are reported by users. Other settings complete the reporting experience for users when they report messages.

- - **Customize notifications**: Click this link to customize the email notification that's sent after an admin reviews and marks a reported messages.

- - **Display company logo**: Before select this option, you need to follow the instructions in [Customize the Microsoft 365 theme for your organization](../../admin/setup/customize-your-organization-theme.md) to upload your custom logo.

-[Smart reports and insights in the Microsoft 365 Defender portal](reports-and-insights-in-security-and-compliance.md)

-## Related topics

-[Smart reports and insights in the Security & Compliance Center](reports-and-insights-in-security-and-compliance.md)

-[Mail flow insights in the Security & Compliance Center](mail-flow-insights-v2.md)

-[View email security reports in the Security & Compliance Center](view-email-security-reports.md)

-[View reports for Microsoft Defender for Office 365](view-reports-for-mdo.md)

-## Related topics

-[Smart reports and insights in the Microsoft 365 Defender portal](reports-and-insights-in-security-and-compliance.md)

-[Azure AD built-in roles](/azure/active-directory/roles/permissions-reference)

-> The built-in anti-virus capabilities are a way to help contain viruses. They aren't intended as a single point of defense against malware for your environment. We encourage all customers to investigate and implement anti-malware protection at various layers and apply best practices for securing their enterprise infrastructure. For more information about strategies and best practices, see [Security roadmap](security-roadmap.md).