-1. Search ΓÇÿCVE-2020-1472' and review the associated vulnerability article, ΓÇÿCVE-2020-1472' and article, ΓÇÿRiskIQ detections into components and indicators related to FireEyeΓÇÖs breach disclosure and countermeasuresΓÇÖ.

-2. Review the ΓÇÿRiskIQ detections into components and indicators related to FireEyeΓÇÖs breach disclosure and countermeasuresΓÇÖ articleΓÇÖs Public indicators.

-3. Search ΓÇÿ173.234.155[.]208ΓÇÖ IP address in the Threat Intelligence Search bar.

-4. Review the Summary tab results that return: reputation, analyst insights, articles, services, resolutions, certificates, projects, and hashes.

-5. Navigate to the Data tab and review the data and intelligence data sets: resolutions, Whois, certificates, trackers, components, cookies, services, dns, and articles.

-6. Navigate back to the Resolutions data blade and pivot on ΓÇÿmyaeroplan[.]comΓÇÖ.

-7. Navigate to the Data tab and review the resolutions, Whois, certificates, subdomains, trackers, components, hashes, cookies, DNS, and reverse DNS data sets.

-8. Take note of the following artifacts from steps 5 and 7:

-9. Perform the respective artifact searches from step 8. Note: YouΓÇÖll want to reference the search options you learned from the Learn about Defender TIΓÇÖs Threat Intelligence Home Page features section.

-7. If you chose to *add DNS records yourself* , select **Next** and you'll see a page with all the records that you need to add to your registrars website to set up your domain.

-> Creating an additional .onmicrosoft domain and using it as your default will not do a rename for SharePoint Online. To make changes to your .onmicrosoft SharePoint domain you would need to use the [SharePoint domain rename preview](/sharepoint/change-your-sharepoint-domain-name) (currently available to any tenant with less than 1,000 sites).

-### Microsoft Purview compliance portal

-Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077149" target="_blank">compliance portal</a>, and then select **Policies** > **Alert** > **Alert policies**.

-

-### Microsoft 365 Defender portal

-Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a> and under **Email & collaboration** select **Policies & rules** > **Alert policy**. Alternatively, you can go directly to <https://security.microsoft.com/alertpolicies>.

-

- - Data lifecycle management

-Microsoft provides built-in alert policies that help identify Exchange admin permissions abuse, malware activity, potential external and internal threats, and data lifecycle management risks. On the **Alert policies** page, the names of these built-in policies are in bold and the policy type is defined as **System**. These policies are turned on by default. You can turn off these policies (or back on again), set up a list of recipients to send email notifications to, and set a daily notification limit. The other settings for these policies can't be edited.

-The following table lists and describes the available default alert policies and the category each policy is assigned to. The category is used to determine which alerts a user can view on the Alerts page. For more information, see [RBAC permissions required to view alerts](#rbac-permissions-required-to-view-alerts).

-The table also indicates the Office 365 Enterprise and Office 365 US Government plan required for each one. Some default alert policies are available if your organization has the appropriate add-on subscription in addition to an E1/F1/G1 or E3/F3/G3 subscription.

-

-| Default alert policy | Description | Category | Automated investigation | Enterprise subscription |

-|:--|:--|:--|:--|:--|

-|**A potentially malicious URL click was detected**|Generates an alert when a user protected by [Safe Links](/microsoft-365/security/office-365-security/safe-links) in your organization clicks a malicious link. This alert is generated when a user clicks on a link and this event triggers a URL verdict change identification by Microsoft Defender for Office 365. This alert policy has a **High** severity setting For Defender for Office 365 P2, E5, G5 customers. This alert automatically triggers [automated investigation and response in Office 365](/microsoft-365/security/office-365-security/office-365-air). For more information on events that trigger this alert, see [Set up Safe Links policies](/microsoft-365/security/office-365-security/set-up-safe-links-policies).|Threat management|Yes|E5/G5 or Defender for Office 365 P2 add-on subscription|

-|**A user clicked through to a potentially malicious URL**|Generates an alert when a user protected by [Safe Links](/microsoft-365/security/office-365-security/safe-links) in your organization clicks a malicious link. This event is triggered when user clicks on a URL (which is identified as malicious or pending validation) and overrides the Safe Links warning page (based on your organization's Microsoft 365 for business Safe Links policy) to continue to the URL hosted page / content. This alert policy has a **High** severity setting. For Defender for Office 365 P2, E5, G5 customers, this alert automatically triggers [automated investigation and response in Office 365](/microsoft-365/security/office-365-security/office-365-air). For more information on events that trigger this alert, see [Set up Safe Links policies](/microsoft-365/security/office-365-security/set-up-safe-links-policies).|Threat management|Yes|E5/G5 or Defender for Office 365 P2 add-on subscription|

-|**Admin Submission result completed**|Generates an alert when an [Admin Submission](../security/office-365-security/admin-submission.md) completes the rescan of the submitted entity. An alert will be triggered every time a rescan result is rendered from an Admin Submission. These alerts are meant to remind you to [review the results of previous submissions](https://compliance.microsoft.com/reportsubmission), submit user reported messages to get the latest policy check and rescan verdicts, and help you determine if the filtering policies in your organization are having the intended impact. This policy has a **Informational** severity setting.|Threat management|No|E1/F1, E3/F3, or E5|

-|**Admin triggered manual investigation of email**|Generates an alert when an admin triggers the manual investigation of an email from Threat Explorer. For more information, see [Example: A security administrator triggers an investigation from Threat Explorer](../security/office-365-security/automated-investigation-response-office.md#example-a-security-administrator-triggers-an-investigation-from-threat-explorer). This alert notifies your organization that the investigation was started. The alert provides information about who triggered it and includes a link to the investigation. This policy has an **Informational** severity setting.|Threat management|Yes|E5/G5 or Microsoft Defender for Office 365 P2 add-on subscription|

-|**Admin triggered user compromise investigation**|Generates an alert when an admin triggers the manual user compromise investigation of either an email sender or recipient from Threat Explorer. For more information, see [Example: A security administrator triggers an investigation from Threat Explorer](../security/office-365-security/automated-investigation-response-office.md#example-a-security-administrator-triggers-an-investigation-from-threat-explorer), which shows the related manual triggering of an investigation on an email. This alert notifies your organization that the user compromise investigation was started. The alert provides information about who triggered it and includes a link to the investigation. This policy has a **Medium** severity setting.|Threat management|Yes|E5/G5 or Microsoft Defender for Office 365 P2 add-on subscription|

-|**Administrative action submitted by an Administrator**|Admins can take manual email actions on email entities using various surfaces. For example, Threat Explorer, advanced hunting or through custom detection. When the remediation starts, it generates an alert. This alert shows up in the alerts queue with the name **Administrative action submitted by an Administrator** to indicate that an admin took the action of remediating an entity. The alert contains details like the action type, supporting investigation link, time, etc. It's helpful to know whenever a sensitive action like remediation is performed on entities. This policy has an **Informational** severity setting.|Threat management|Yes|E5/ Microsoft Defender for Office 365 P2 add-on subscription|

-|**Creation of forwarding/redirect rule**|Generates an alert when someone in your organization creates an inbox rule for their mailbox that forwards or redirects messages to another email account. This policy only tracks inbox rules that are created using Outlook on the web (formerly known as Outlook Web App) or Exchange Online PowerShell. This policy has a **Informational** severity setting. For more information about using inbox rules to forward and redirect email in Outlook on the web, see [Use rules in Outlook on the web to automatically forward messages to another account](https://support.office.com/article/1433e3a0-7fb0-4999-b536-50e05cb67fed).|Threat management|No|E1/F1/G1, E3/F3/G3, or E5/G5|

-|**eDiscovery search started or exported**|Generates an alert when someone uses the Content search tool in the Microsoft Purview portal. An alert is triggered when the following content search activities are performed: <br><br> <li> A content search is started <li> The results of a content search are exported <li> A content search report is exported <br><br> Alerts are also triggered when the previous content search activities are performed in association with an eDiscovery case. This policy has a **Informational** severity setting. For more information about content search activities, see [Search for eDiscovery activities in the audit log](search-for-ediscovery-activities-in-the-audit-log.md#ediscovery-activities).|Threat management|No|E1/F1/G1, E3/F3/G3, or E5/G5|

-|**Elevation of Exchange admin privilege**|Generates an alert when someone is assigned administrative permissions in your Exchange Online organization. For example, when a user is added to the Organization Management role group in Exchange Online. This policy has a **Low** severity setting.|Permissions|No|E1/F1/G1, E3/F3/G3, or E5/G5|

-|**Email messages containing malicious file removed after delivery**|Generates an alert when any messages containing a malicious file are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using [Zero-hour auto purge](../security/office-365-security/zero-hour-auto-purge.md). This policy has an **Informational** severity setting and automatically triggers [automated investigation and response in Office 365](../security/office-365-security/office-365-air.md). For more information on this new policy, see [New alert policies in Microsoft Defender for Office 365](new-defender-alert-policies.md).|Threat management|Yes|E5/G5 or Microsoft Defender for Office 365 P2 add-on subscription|

-|**Email messages containing malicious URL removed after delivery**|Generates an alert when any messages containing a malicious URL are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using [Zero-hour auto purge](../security/office-365-security/zero-hour-auto-purge.md). This policy has an **Informational** severity setting and automatically triggers [automated investigation and response in Office 365](../security/office-365-security/office-365-air.md). For more information on this new policy, see [New alert policies in Microsoft Defender for Office 365](new-defender-alert-policies.md).|Threat management|Yes|E5/G5 or Defender for Office 365 P2 add-on subscription|

-|**Email messages from a campaign removed after delivery**|Generates an alert when any messages associated with a [Campaign](../security/office-365-security/campaigns.md) are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using [Zero-hour auto purge](../security/office-365-security/zero-hour-auto-purge.md). This policy has an **Informational** severity setting and automatically triggers [automated investigation and response in Office 365](../security/office-365-security/office-365-air.md). For more information on this new policy, see [New alert policies in Microsoft Defender for Office 365](new-defender-alert-policies.md).|Threat management|Yes|E5/G5 or Defender for Office 365 P2 add-on subscription|

-|**Email messages removed after delivery**|Generates an alert when any malicious messages that do not contain a malicious entity (URL or File), or associated with a Campaign, are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using [Zero-hour auto purge](../security/office-365-security/zero-hour-auto-purge.md). This policy has an **Informational** severity setting and automatically triggers [automated investigation and response in Office 365](../security/office-365-security/office-365-air.md). For more information on this new policy, see [New alert policies in Microsoft Defender for Office 365](new-defender-alert-policies.md).|Threat management|Yes|E5/G5 or Defender for Office 365 P2 add-on subscription|

-|**Messages containing malicious entity not removed after delivery**|Generates an alert when any message containing malicious content (file, URL, campaign, no entity), is delivered to mailboxes in your organization. If this event occurs, Microsoft attempted to remove the infected messages from Exchange Online mailboxes using [Zero-hour auto purge](../security/office-365-security/zero-hour-auto-purge.md), but the message was not removed due to a failure. Additional investigation is recommended. This policy has a **Medium** severity setting and automatically triggers [automated investigation and response in Office 365](../security/office-365-security/office-365-air.md).|Threat management|Yes|E5/G5 or Defender for Office 365 P2 add-on subscription|

-|**Email reported by user as malware or phish**|Generates an alert when users in your organization report messages as phishing email using the Report Message add-in. This policy has an **Low** severity setting. For more information about this add-in, see [Use the Report Message add-in](https://support.office.com/article/b5caa9f1-cdf3-4443-af8c-ff724ea719d2). For Defender for Office 365 P2, E5, G5 customers, this alert automatically triggers [automated investigation and response in Office 365](../security/office-365-security/office-365-air.md).|Threat management|Yes|E1/F1/G1, E3/F3/G3, or E5/G5|

-|**Email sending limit exceeded**|Generates an alert when someone in your organization has sent more mail than is allowed by the outbound spam policy. This is usually an indication the user is sending too much email or that the account may be compromised. This policy has a **Medium** severity setting. If you get an alert generated by this alert policy, it's a good idea to [check whether the user account is compromised](../security/office-365-security/responding-to-a-compromised-email-account.md).|Threat management|No|E1/F1/G1, E3/F3/G3, or E5/G5|

-|**Form blocked due to potential phishing attempt**|Generates an alert when someone in your organization has been restricted from sharing forms and collecting responses using Microsoft Forms due to detected repeated phishing attempt behavior. This policy has a **High severity** setting.|Threat management|No|E1, E3/F3, or E5|

-|**Form flagged and confirmed as phishing**|Generates an alert when a form created in Microsoft Forms from within your organization has been identified as potential phishing through Report Abuse and confirmed as phishing by Microsoft. This policy has a **High** severity setting.|Threat management|No|E1, E3/F3, or E5|

-|**Messages have been delayed**|Generates an alert when Microsoft can't deliver email messages to your on-premises organization or a partner server by using a connector. When this happens, the message is queued in Office 365. This alert is triggered when there are 2,000 messages or more that have been queued for more than an hour. This policy has a **High** severity setting.|Mail flow|No|E1/F1/G1, E3/F3/G3, or E5/G5|

-|**Malware campaign detected after delivery**|Generates an alert when an unusually large number of messages containing malware are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes. This policy has a **High** severity setting.|Threat management|No|E5/G5 or Microsoft Defender for Office 365 P2 add-on subscription|

-|**Malware campaign detected and blocked**|Generates an alert when someone has attempted to send an unusually large number of email messages containing a certain type of malware to users in your organization. If this event occurs, the infected messages are blocked by Microsoft and not delivered to mailboxes. This policy has a **Low** severity setting.|Threat management|No|E5/G5 or Defender for Office 365 P2 add-on subscription|

-|**Malware campaign detected in SharePoint and OneDrive**|Generates an alert when an unusually high volume of malware or viruses is detected in files located in SharePoint sites or OneDrive accounts in your organization. This policy has a **High** severity setting.|Threat management|No|E5/G5 or Defender for Office 365 P2 add-on subscription|

-|**Malware not zapped because ZAP is disabled**| Generates an alert when Microsoft detects delivery of a malware message to a mailbox because Zero-Hour Auto Purge for Phish messages is disabled. This policy has an **Informational** severity setting. |Threat management|No|E5/G5 or Defender for Office 365 P2 add-on subscription|

-|**Phish delivered due to an ETR override**|Generates an alert when Microsoft detects an Exchange Transport Rule (ETR) that allowed delivery of a high confidence phishing message to a mailbox. This policy has an **Informational** severity setting. For more information about Exchange Transport Rules (Mail flow rules), see [Mail flow rules (transport rules) in Exchange Online](/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules).|Threat management|No|E1/F1/G1, E3/F3/G3, or E5/G5|

-|**Phish delivered due to an IP allow policy**|Generates an alert when Microsoft detects an IP allow policy that allowed delivery of a high confidence phishing message to a mailbox. This policy has an **Informational** severity setting. For more information about the IP allow policy (connection filtering), see [Configure the default connection filter policy - Office 365](../security/office-365-security/configure-the-connection-filter-policy.md).|Threat management|No|E1/F1/G1, E3/F3/G3, or E5/G5|

-|**Phish not zapped because ZAP is disabled**| Generates an alert when Microsoft detects delivery of a high confidence phishing message to a mailbox because Zero-Hour Auto Purge for Phish messages is disabled. This policy has an **Informational** severity setting.|Threat management|No|E5/G5 or Defender for Office 365 P2 add-on subscription|

-|**Phish delivered due to tenant or user override**¹|Generates an alert when Microsoft detects an admin or user override allowed the delivery of a phishing message to a mailbox. Examples of overrides include an inbox or mail flow rule that allows messages from a specific sender or domain, or an anti-spam policy that allows messages from specific senders or domains. This policy has a **High** severity setting.|Threat management|No|E5/G5 or Defender for Office 365 P2 add-on subscription|

-|**Suspicious email forwarding activity**|Generates an alert when someone in your organization has autoforwarded email to a suspicious external account. This is an early warning for behavior that may indicate the account is compromised, but not severe enough to restrict the user. This policy has a **High** severity setting. Although it's rare, an alert generated by this policy may be an anomaly. It's a good idea to [check whether the user account is compromised](../security/office-365-security/responding-to-a-compromised-email-account.md).|Threat management|No|E1/F1/G1, E3/F3/G3, or E5/G5|

-|**Suspicious email sending patterns detected**|Generates an alert when someone in your organization has sent suspicious email and is at risk of being restricted from sending email. This is an early warning for behavior that may indicate that the account is compromised, but not severe enough to restrict the user. This policy has a **Medium** severity setting. Although it's rare, an alert generated by this policy may be an anomaly. However, it's a good idea to [check whether the user account is compromised](../security/office-365-security/responding-to-a-compromised-email-account.md).|Threat management|Yes|E1/F1/G1, E3/F3/G3, or E5/G5 |

-|**Tenant Allow/Block List entry is about to expire**|Generates an alert when a Tenant Allow/Block List entry is about to be removed. This event is triggered three days prior to expiration date, which is based when the entry was created or last updated. This alert policy has an **Informational** severity setting. This is to inform admins of upcoming changes in the filters since the allow or block could be going away. For blocks, you can extend the expiration date to keep the block in place. For allows, you need to resubmit the item so that our analysts can take another look. However, if the allow has already been graded as a false positive, then the entry will only expire when the system filters have been updated to naturally allow the entry. For more information on events that trigger this alert, see [Manage the Tenant Allow/Block list](../security/office-365-security/tenant-allow-block-list.md).|Threat management|No|E5/G5 or Defender for Office 365 P2 add-on subscription|

-|**Tenant restricted from sending email**|Generates an alert when most of the email traffic from your organization has been detected as suspicious and Microsoft has restricted your organization from sending email. Investigate any potentially compromised user and admin accounts, new connectors, or open relays, and then contact Microsoft Support to unblock your organization. This policy has a **High** severity setting. For more information about why organizations are blocked, see [Fix email delivery issues for error code 5.7.7xx in Exchange Online](/Exchange/mail-flow-best-practices/non-delivery-reports-in-exchange-online/fix-error-code-5-7-700-through-5-7-750).|Threat management|No|E1/F1/G1, E3/F3/G3, or E5/G5|

-|**Tenant restricted from sending unprovisioned email**|Generates an alert when too much email is being sent from unregistered domains (also known as *unprovisioned* domains). Office 365 allows a reasonable amount of email from unregistered domains, but you should configure every domain that you use to send email as an accepted domain. This alert indicates that all users in the organization can no longer send email. This policy has a **High** severity setting. For more information about why organizations are blocked, see [Fix email delivery issues for error code 5.7.7xx in Exchange Online](/Exchange/mail-flow-best-practices/non-delivery-reports-in-exchange-online/fix-error-code-5-7-700-through-5-7-750).|Threat management|No|E1/F1/G1, E3/F3/G3, or E5/G5|

-|**Unusual external user file activity**|Generates an alert when an unusually large number of activities are performed on files in SharePoint or OneDrive by users outside of your organization. This includes activities such as accessing files, downloading files, and deleting files. This policy has a **High** severity setting.|Data lifecycle management|No|E5/G5, Microsoft Defender for Office 365 P2, or Microsoft 365 E5 add-on subscription|

-|**Unusual volume of external file sharing**|Generates an alert when an unusually large number of files in SharePoint or OneDrive are shared with users outside of your organization. This policy has a **Medium** severity setting.|Data lifecycle management|No|E5/G5, Defender for Office 365 P2, or Microsoft 365 E5 add-on subscription|

-|**Unusual volume of file deletion**|Generates an alert when an unusually large number of files are deleted in SharePoint or OneDrive within a short time frame. This policy has a **Medium** severity setting.|Data lifecycle management|No|E5/G5, Defender for Office 365 P2, or Microsoft 365 E5 add-on subscription|

-|**Unusual increase in email reported as phish**|Generates an alert when there's a significant increase in the number of people in your organization using the Report Message add-in in Outlook to report messages as phishing mail. This policy has a **Medium** severity setting. For more information about this add-in, see [Use the Report Message add-in](https://support.office.com/article/b5caa9f1-cdf3-4443-af8c-ff724ea719d2).|Threat management|No|E5/G5 or Defender for Office 365 P2 add-on subscription|

-|**User impersonation phish delivered to inbox/folder**^1,²|Generates an alert when Microsoft detects that an admin or user override has allowed the delivery of a user impersonation phishing message to the inbox (or other user-accessible folder) of a mailbox. Examples of overrides include an inbox or mail flow rule that allows messages from a specific sender or domain, or an anti-spam policy that allows messages from specific senders or domains. This policy has a **Medium** severity setting.|Threat management|No|E5/G5 or Defender for Office 365 P2 add-on subscription|

-|**User requested to release a quarantined message**|Generates an alert when a user requests release for a quarantined message. To request the release of quarantined messages, the **Allow recipients to request a message to be released from quarantine** (_PermissionToRequestRelease_) permission is required in the quarantine policy (for example, from the **Limited access** preset permissions group). For more information, see [Allow recipients to request a message to be released from quarantine permission](../security/office-365-security/quarantine-policies.md#allow-recipients-to-request-a-message-to-be-released-from-quarantine-permission). This policy has an **Informational** severity setting.|Threat management|No| Microsoft Business Basic, Microsoft Business Standard, Microsoft Business Premium, E1/F1/G1, E3/F3/G3, or E5/G5|

-|**User restricted from sending email**|Generates an alert when someone in your organization is restricted from sending outbound mail. This typically results when an account is compromised, and the user is listed on the **Restricted Users** page in the compliance portal. (To access this page, go to **Threat management > Review > Restricted Users**). This policy has a **High** severity setting. For more information about restricted users, see [Removing a user, domain, or IP address from a block list after sending spam email](/office365/securitycompliance/removing-user-from-restricted-users-portal-after-spam).|Threat management|Yes|E1/F1/G1, E3/F3/G3, or E5/G5|

-|**User restricted from sharing forms and collecting responses**|Generates an alert when someone in your organization has been restricted from sharing forms and collecting responses using Microsoft Forms due to detected repeated phishing attempt behavior. This policy has a **High** severity setting.|Threat management|No|E1, E3/F3, or E5|

-> ¹ We've temporarily removed this default alert policy based on customer feedback. We're working to improve it, and will replace it with a new version in the near future. Until then, you can create a custom alert policy to replace this functionality by using the following settings: <ul><li>Activity is Phish email detected at time of delivery</li> <li>Mail is not ZAP'd</li> <li>Mail direction is Inbound</li> <li>Mail delivery status is Delivered</li> <li>Detection technology is Malicious URL retention, URL detonation, Advanced phish filter, General phish filter, Domain impersonation, User impersonation, and Brand impersonation</li></ul> For more information about anti-phishing in Office 365, see [Set up anti-phishing and anti-phishing policies](../security/office-365-security/set-up-anti-phishing-policies.md).<br/><br/>² To recreate this alert policy, follow the guidance in the previous footnote, but choose User impersonation as the only Detection technology.

-The unusual activity monitored by some of the built-in policies is based on the same process as the alert threshold setting that was previously described. Microsoft establishes a baseline value that defines the normal frequency for "usual" activity. Alerts are then triggered when the frequency of activities tracked by the built-in alert policy greatly exceeds the baseline value.

-<a name="viewing-alerts"></a>

-You can use the following filters to view a subset of all the alerts on the **Alerts** page.

-> Filtering and sorting by user tags is currently in public preview.

-> It may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided about it.

-When multiple events that match the conditions of an alert policy occur with a short period of time, they are added to an existing alert by a process called *alert aggregation*. When an event triggers an alert, the alert is generated and displayed on the **Alerts** page and a notification is sent. If the same event occurs within the aggregation interval, then Microsoft 365 adds details about the new event to the existing alert instead of triggering a new alert. The goal of alert aggregation is to help reduce alert "fatigue" and let you focus and take action on fewer alerts for the same event.

-|Subscription|Aggregation interval|

-|:|::|

-This design (based on RBAC permissions) lets you determine which alerts can be viewed (and managed) by users in specific job roles in your organization.

-The following table lists the roles that are required to view alerts from the six different alert categories. The first column in the tables lists all roles in the compliance portal or the Microsoft 365 Defender portal. A check mark indicates that a user who is assigned that role can view alerts from the corresponding alert category listed in the top row.

-To see which category a default alert policy is assigned to, see the table in [Default alert policies](#default-alert-policies).

-|Role|Data lifecycle management|Data loss prevention|Mail flow|Permissions|Threat management|Others|

-|:|::|::|::|::|::|::|

-|Audit Logs|||||||

-|Case Management|||||||

-|Compliance Administrator|||||||

-|Compliance Search|||||||

-|Device Management|||||||

-|Disposition Management|||||||

-|DLP Compliance Management|||||||

-|Export|||||||

-|Hold|||||||

-|Information Protection Analyst|||||||

-|Information Protection Investigator|||||||

-|Manage Alerts|||||||

-|Organization Configuration|||||||

-|Preview|||||||

-|Record Management|||||||

-|Retention Management|||||||

-|Review|||||||

-|RMS Decrypt|||||||

-|Role Management|||||||

-|Search And Purge|||||||

-|Security Administrator|||||||

-|Security Reader||||||

-|Service Assurance View|||||||

-|Supervisory Review Administrator|||||||

-|View-Only Audit Logs|||||||

-|View-Only Device Management|||||||

-|View-Only DLP Compliance Management|||||||

-|View-Only Manage Alerts|||||||

-|View-Only Recipients|||||||

-|View-Only Record Management|||||||

-|View-Only Retention Management|||||||

-> ```

->

-> ```powershell

-> $RoleGroups | foreach {Write-Output -InputObject `r`n,$_.Name,"--"; Get-RoleGroup $_.Identity | Select-Object -ExpandProperty Roles}

-<a name="manage-alerts"></a>

-<a name="viewing-cloud-app-security-alerts"></a>

-<!-- [!VIDEO https://www.microsoft.com/videoplayer/embed/RWyGL7]-->

-<!--Take a video tour of our data classification features.

-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4vx8x]-->

-<!--Learn more about confidence levels in this short video.

- > [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4Hx60]-->

-## February 2022

-### eDiscovery

-### Data lifecycle management and records management

-### Sensitivity labels

- - Additional settings for email to support always applying a matched sensitivity label, and to apply encryption to email received from outside the organization.

- - Exclusions for specific instances (users, groups, sites) are supported by using the new **Excluded** option when the default selection of **All** is specified for **Included**.

-The following table shows the [SKOS](https://www.w3.org/TR/skos-primer/) equivalents for the [SharePoint taxonomy](/dotnet/api/microsoft.sharepoint.taxonomy) vocabulary. SharePoint does not support [SKOS](https://www.w3.org/TR/skos-primer/) values that have no SharePoint taxonomy equivalent.

-|sharepoint-taxonomy:Term|skos:Concept|

-|sharepoint-taxonomy:TermSet|skos:ConceptScheme|

-|sharepoint-taxonomy:inTermSet|skos:inScheme|

-|sharepoint-taxonomy:hasTopLevelTerm|skos:hasTopConcept|

-|sharepoint-taxonomy:topLevelTermOf|skos:topConceptOf|

-|sharepoint-taxonomy:defaultLabel|skos:prefLabel|

-|sharepoint-taxonomy:termSetName|skos:prefLabel|

-|sharepoint-taxonomy:propertyName|skos:prefLabel|

-|sharepoint-taxonomy:otherLabel|skos:altLabel|

-|sharepoint-taxonomy:description|skos:definition|

-|sharepoint-taxonomy:parent|skos:broader|

-|sharepoint-taxonomy:child|skos:narrower|

-|sharepoint-taxonomy:isAvailableForTagging|owl:datatypeproperty|

-|sharepoint-taxonomy:SharedCustomPropertyForTerm|owl:ObjectProperty|

-|sharepoint-taxonomy:LocalCustomPropertyForTerm|owl:ObjectProperty|

-|sharepoint-taxonomy:CustomPropertyForTermSet|owl:ObjectProperty|

-In the case of the termSetName provided is not unique within the [TermGroup](/dotnet/api/microsoft.sharepoint.taxonomy.group), SharePoint appends a number at the end of the name to maintain the uniqueness of termSetName(s).

-SharePoint uses this property to map the top most [Term](/dotnet/api/microsoft.sharepoint.taxonomy.term) in the [TermSet](/dotnet/api/microsoft.sharepoint.taxonomy.termset), which is the entry point to the hierarchy of [Terms](/dotnet/api/microsoft.sharepoint.taxonomy.term) in a [TermSet](/dotnet/api/microsoft.sharepoint.taxonomy.termset). This is an inverse relation to sharepoint-taxonomy:topLevelTermOf.

-Sharepoint-taxonomy:topLevelTermOf is the inverse of sharepoint-taxonomy:hasTopLevelTerm

-This the lexical label for a [TermSet](/dotnet/api/microsoft.sharepoint.taxonomy.termset), in a [TermStore](/dotnet/api/microsoft.sharepoint.taxonomy.termstore) working language. This is a required parameter for a [TermSet](/dotnet/api/microsoft.sharepoint.taxonomy.termset). Use to visually representing a [TermSet](/dotnet/api/microsoft.sharepoint.taxonomy.termset).

-The sharepoint-taxonomy:propertyName is treated as the key of the CustomProperty.

-The object contains one or more child TermSet instances, and these can be accessed through the TermSets property. This class also provides methods for creating new child TermSet objects. Permissions for editing child Term and TermSet instances is specified on the group.

-If the custom property for a [Term](/dotnet/api/microsoft.sharepoint.taxonomy.term) does not need to be carried along with the [Term](/dotnet/api/microsoft.sharepoint.taxonomy.term), when you reuse the [Term](/dotnet/api/microsoft.sharepoint.taxonomy.term) somewhere else, then you need to define it under LocalCustomPropertyForTerm.

-[SKOS](https://www.w3.org/TR/skos-primer/) valid scenarios that [SharePoint taxonomy](/dotnet/api/microsoft.sharepoint.taxonomy) does not allow:

- 

-search.product: eADQiWindows 10XVcnh

- - m365-security-compliance

-You can deploy, manage, and report on Microsoft Defender Antivirus in a number of ways.

-Because the Microsoft Defender Antivirus client is installed as a core part of Windows 10 and Windows 11, traditional deployment of a client to your endpoints does not apply.

-However, in most cases you will still need to enable the protection service on your endpoints with Microsoft Intune, Microsoft Endpoint Configuration Manager, Microsoft Defender for Cloud, or Group Policy Objects, which is described in the following table.

-You'll also see additional links for:

-Tool|Deployment options (<a href="#fn2" id="ref2">2</a>)|Management options (network-wide configuration and policy or baseline deployment) ([3](#fn3))|Reporting options

-Microsoft Intune|[Add endpoint protection settings in Intune](/intune/endpoint-protection-configure)|[Configure device restriction settings in Intune](/intune/device-restrictions-configure)| [Use the Intune console to manage devices](/intune/device-management)

-Microsoft Endpoint Manager ([1](#fn1))|Use the [Endpoint Protection point site system role](/mem/configmgr/protect/deploy-use/endpoint-protection-site-role) and [enable Endpoint Protection with custom client settings](/mem/configmgr/protect/deploy-use/endpoint-protection-configure-client).|With [default and customized antimalware policies](/microsoft-365/security/office-365-security/configure-anti-malware-policies) and client management.|With the default [Configuration Manager Monitoring workspace](/mem/configmgr/apps/deploy-use/monitor-applications-from-the-console) and email alerts.

-Group Policy and Active Directory (domain-joined)|Use a Group Policy Object to deploy configuration changes and ensure Microsoft Defender Antivirus is enabled.|Use Group Policy Objects (GPOs) to [configure update options for Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/manage-protection-update-schedule-microsoft-defender-antivirus) and [configure Windows Defender features](/microsoft-365/security/defender-endpoint/configure-microsoft-defender-antivirus-features).|Endpoint reporting is not available with Group Policy. You can generate a list of Group Policies to determine if any settings or policies are not applied.

-PowerShell|Deploy with Group Policy, Microsoft Endpoint Configuration Manager, or manually on individual endpoints.|Use the [Set-MpPreference] and [Update-MpSignature] cmdlets available in the Defender module.|Use the appropriate [Get- cmdlets available in the Defender module](/powershell/module/defender).

-Windows Management Instrumentation|Deploy with Group Policy, Microsoft Endpoint Configuration Manager, or manually on individual endpoints.|Use the [Set method of the MSFT_MpPreference class](/previous-versions/windows/desktop/defender/set-msft-mppreference) and the [Update method of the MSFT_MpSignature class](/previous-versions/windows/desktop/defender/update-msft-mpsignature).|Use the [MSFT_MpComputerStatus](/previous-versions/windows/desktop/defender/msft-mpcomputerstatus) class and the get method of associated classes in the [Windows Defender WMIv2 Provider](/windows/win32/wmisdk/wmi-providers).

-Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Microsoft Defender for Cloud](/azure/defender-for-cloud/endpoint-protection-recommendations-technical).|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe).|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the Possibly infected devices report, and configure an SIEM tool to report on [Microsoft Defender Antivirus events][/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus] and add that tool as an app in AAD.

-2. <span id="fn2" />In Windows 10 and Windows 11, Microsoft Defender Antivirus is a component available without installation or deployment of an additional client or service. It will automatically be enabled when third-party antivirus products are either uninstalled or out of date (except on Windows Server 2016). Traditional deployment therefore is not required. Deployment here refers to ensuring the Microsoft Defender Antivirus component is available and enabled on endpoints or servers. [(Return to table)](#ref2)

-[Deploy and enable Microsoft Defender Antivirus protection](deploy-microsoft-defender-antivirus.md) | While the client is installed as a core part of Windows 10 or Windows 11, and traditional deployment does not apply, you will still need to enable the client on your endpoints with Microsoft Endpoint Configuration Manager, Microsoft Intune, or Group Policy Objects.

-[Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md) | There are two parts to updating Microsoft Defender Antivirus: updating the client on endpoints (product updates), and updating Security intelligence (protection updates). You can update Security intelligence in a number of ways, using Microsoft Endpoint Configuration Manager, Group Policy, PowerShell, and WMI.

-$channel = 'insiders-fast',

-$distro = undef,

-$version = undef

-){

- case $::osfamily {

- 'Debian' : {

- $release = $channel ? {

- 'prod' => $facts['os']['distro']['codename']

- }

- apt::source { 'microsoftpackages' :

- location => "https://packages.microsoft.com/${distro}/${version}/prod",

- release => $release,

- repos => 'main',

- key => {

- 'id' => 'BC528686B50D79E339D3721CEB3E94ADBE1229CF',

- 'server' => 'keyserver.ubuntu.com',

- },

- }

- }

- 'RedHat' : {

- yumrepo { 'microsoftpackages' :

- baseurl => "https://packages.microsoft.com/${distro}/${version}/${channel}",

- descr => "packages-microsoft-com-prod-${channel}",

- enabled => 1,

- gpgcheck => 1,

- gpgkey => 'https://packages.microsoft.com/keys/microsoft.asc'

- }

- }

- default : { fail("${::osfamily} is currently not supported.") }

- case $::osfamily {

- /(Debian|RedHat)/: {

- file { ['/etc/opt', '/etc/opt/microsoft', '/etc/opt/microsoft/mdatp']:

- ensure => directory,

- owner => root,

- group => root,

- mode => '0755'

- }

- file { '/etc/opt/microsoft/mdatp/mdatp_onboard.json':

- source => 'puppet:///modules/install_mdatp/mdatp_onboard.json',

- owner => root,

- group => root,

- mode => '0600',

- require => File['/etc/opt/microsoft/mdatp']

- }

- package { 'mdatp':

- ensure => 'installed',

- require => File['/etc/opt/microsoft/mdatp/mdatp_onboard.json']

- }

- }

- default : { fail("${::osfamily} is currently not supported.") }

-The following table contains a list terms that are new to Microsoft Defender Antivirus reporting.

-Microsoft Defender Antivirus (MDAV) make up-to-date reports makes determinations based on the following criteria:

-##### Up-to-date examples

-**The security intelligence update is considered up-to date** If the security intelligence version on the device was written in the past 7 days and the device has communicated with the report event in past 7 days

-| < 7 days (new) | < 7 days (new) | _Up to date/ Out of Date/ Unknown (whatever client reports)_ |

-| < 7 days (new) | < 7 days (new) | _Up to date/ Out of Date/ Unknown (whatever client reports)_ |

-| EventΓÇÖs Last Refresh Time (aka ΓÇ£Signature Refresh TimeΓÇ¥ in reports) | Security Intelligence Publish Time | _Reported Status_: |

-|:-|:-|:-|

-| <7 days (new) | >7 days (old) | Up to Date | _Unknown_ |

-| <7 days (new) | <7 days (new) | Up to Date | _Up to Date_ |

-| >7 days (old) | <7 days (new) | Out of date | _Out of Date_ |

-| >7 days (old) | >7 days (old) | Out of date | _Out of Date_ |

-| <7 days (new) | >7 days (old) | Out of Date | _Out of Date_ |

-> Experts on Demand is not a security incident response service. ItΓÇÖs intended to provide a better understanding of complex threats affecting your organization. Engage with your own security incident response team to address urgent security incident response issues. If you don't have your own security incident response team and would like Microsoft's help, create a support request in the [Premier Services Hub](/services-hub/)

-Domain administrators publish SPF information in TXT records in DNS. The SPF information identifies authorized outbound email servers. Destination email systems verify that messages originate from authorized outbound email servers. If you are already familiar with SPF, or you have a simple deployment, and just need to know what to include in your SPF TXT record in DNS for Microsoft 365, you can go to [Set up SPF in Microsoft 365 to help prevent spoofing](set-up-spf-in-office-365-to-help-prevent-spoofing.md). If you do not have a deployment that is fully hosted in Microsoft 365, or you want more information about how SPF works or how to troubleshoot SPF for Microsoft 365, keep reading.

-SPF determines whether or not a sender is permitted to send on behalf of a domain. If the sender is not permitted to do so, that is, if the email fails the SPF check on the receiving server, the spam policy configured on that server determines what to do with the message.

-Each SPF TXT record contains three parts: the declaration that it is an SPF TXT record, the IP addresses that are allowed to send mail from your domain and the external domains that can send on your domain's behalf, and an enforcement rule. You need all three in a valid SPF TXT record. This article describes how you form your SPF TXT record and provides best practices for working with the services in Microsoft 365. Links to instructions on working with your domain registrar to publish your record to DNS are also provided.

-Since IP address #12 is not in contoso.com's SPF TXT record, the message fails the SPF check and the receiver may choose to mark it as spam.

-The message originally passes the SPF check at woodgrovebank.com but it fails the SPF check at outlook.com because IP #25 is not in contoso.com's SPF TXT record. Outlook.com might then mark the message as spam. To work around this problem, use SPF in conjunction with other email authentication methods such as DKIM and DMARC.

-In addition to IP addresses, you can also configure your SPF TXT record to include domains as senders. These are added to the SPF TXT record as "include" statements. For example, contoso.com might want to include all of the IP addresses of the mail servers from contoso.net and contoso.org which it also owns. To do this, contoso.com publishes an SPF TXT record that looks like this:

-When the receiving server sees this record in DNS, it also performs a DNS lookup on the SPF TXT record for contoso.net and then for contoso.org. If it finds an additional include statement within the records for contoso.net or contoso.org, it will follow those too. In order to help prevent denial of service attacks, the maximum number of DNS lookups for a single email message is 10. Each include statement represents an additional DNS lookup. If a message exceeds the 10 limit, the message fails SPF. Once a message reaches this limit, depending on the way the receiving server is configured, the sender may get a message that says the message generated "too many lookups" or that the "maximum hop count for the message has been exceeded" (which can happen when the lookups loop and surpass the DNS timeout). For tips on how to avoid this, see [Troubleshooting: Best practices for SPF in Microsoft 365](how-office-365-uses-spf-to-prevent-spoofing.md#SPFTroubleshoot).

-If you're a fully-hosted customer, that is, you have no on-premises mail servers that send outbound mail, this is the only SPF TXT record that you need to publish for Office 365.

-Use the syntax information in this article to form the SPF TXT record for your custom domain. Although there are other syntax options that are not mentioned here, these are the most commonly used options. Once you have formed your record, you need to update the record at your domain registrar.

-For information about the domains you will need to include for Microsoft 365, see [External DNS records required for SPF](../../enterprise/external-domain-name-system-records.md). Use the [step-by-step instructions](../../admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider.md#add-or-edit-an-spf-txt-record-to-help-prevent-email-spam-outlook-exchange-online) for updating SPF (TXT) records for your domain registrar.

- Indicates hard fail. If you know all of the authorized IP addresses for your domain, list them in the SPF TXT record and use the -all (hard fail) qualifier. Also, if you are only using SPF, that is, you are not using DMARC or DKIM, you should use the -all qualifier. We recommend that you use always this qualifier.

- Indicates soft fail. If you're not sure that you have the complete list of IP addresses, then you should use the ~all (soft fail) qualifier. Also, if you are using DMARC with p=quarantine or p=reject, then you can use ~all. Otherwise, use -all.

- Indicates neutral. This is used when testing SPF. We do not recommend that you use this qualifier in your live deployment.

-Once you have formulated your SPF TXT record, follow the steps in [Set up SPF in Microsoft 365 to help prevent spoofing](set-up-spf-in-office-365-to-help-prevent-spoofing.md) to add it to your domain.

-Although SPF is designed to help prevent spoofing, but there are spoofing techniques that SPF cannot protect against. In order to protect against these, once you have set up SPF, you should also configure DKIM and DMARC for Microsoft 365. To get started, see [Use DKIM to validate outbound email sent from your custom domain in Microsoft 365](use-dkim-to-validate-outbound-email.md). Next, see [Use DMARC to validate email in Microsoft 365](use-dmarc-to-validate-email.md).

-If an email message causes more than 10 DNS lookups before it is delivered, the receiving mail server will respond with a permanent error, also called a _permerror_, and cause the message to fail the SPF check. The receiving server may also respond with a non-delivery report (NDR) that contains an error similar to these:

-You can use nslookup to view your DNS records, including your SPF TXT record. There are a number of free, online tools available that you can use to view the contents of your SPF TXT record. By looking at your SPF TXT record and following the chain of include statements and redirects, you can determine how many DNS lookups the record requires. Some online tools will even count and display these lookups for you. Keeping track of this number will help prevent messages sent from your organization from triggering a permanent error, called a perm error, from the receiving server.

-Need help adding the SPF TXT record? Read the article [Create DNS records at any DNS hosting provider for Microsoft 365](../../admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider.md#add-or-edit-an-spf-txt-record-to-help-prevent-email-spam-outlook-exchange-online) for detailed information about usage of Sender Policy Framework with your custom domain in Microsoft 365. [Anti-spam message headers](anti-spam-message-headers.md) includes the syntax and header fields used by Microsoft 365 for SPF checks.

-|Alerts|The user tags of affected users are visible and available as filters on the **Alerts** page in the Microsoft 365 Defender portal. For more information, see [Viewing alerts](../../compliance/alert-policies.md#viewing-alerts).|

-In the United States, these include the California Consumer Protection Act ([CCPA](/compliance/regulatory/ccpa-faq)), HIPAA-HITECH (United States health care privacy act), and the Graham Leach Bliley Act (GLBA). Additional state-specific regulations are also in-place or in development.

-Around the world, additional examples include Germany's National GDPR Implementation Act (BDSG), the Brazil Data Protection Act (LGPD), and many others.

-Many of the data privacy-related regulations have overlapping requirements, so you should understand which regulations they are subject to prior to developing any technical control scheme.

-||Article (13)(2)(a)|"...the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing: (a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period.|Govern information|

-||45 CFR 164.312(c)(2)|Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.|Govern information|

-||1798.105(d)|(exceptions to 1798.105(c) <br> A business or a service provider shall not be required to comply with a consumer's request to delete the consumer's personal information if it is necessary for the business or service provider to maintain the consumer's personal information in order to: (refer to the current regulation for additional information).|Discover and respond|

-Regardless of the regulations you are subject to, where different user data types inside and outside your organization interact with your systems are all important factors that may impact your overall personal data protection strategy, subject to the industry and government regulations that apply to your organization. This includes where personal data is stored, what type it is, and how much of it there is, and under what circumstances it was collected.

-If you have not already assessed your overall readiness and risk associated with data privacy regulations, use the following 3-step framework to get started.

-You need to gauge exposure to data privacy risk based on the type of personal data it currently manages, where it is stored, what protective controls are placed on it, how it's lifecycle is managed, and who has access to it.

-Here is an example of the different types of data for typical departments of an organization.

-Your data privacy exposure in Microsoft 365 may be more limited relative to your web applications and CRM systems, which this solution does not address.

-|Deletion and notification|<ol><li>Do you give explicit instructions on how users' data can be accessed? </li><li> Do you have documented processes in place for handling opt out consent? </li><li> Do you have an Automated Deletion process for data? </li><li> Do you have a process to validate identity when engaging with a customer? </li></ol>|

-Configuration profiles give you the ability to configure important protection and to bring devices into compliance so they can access your resources. Previously, these kinds of configuration changes were configured by using Group Policy settings in Active Directory Domain Services. A modern security strategy includes moving security controls to the cloud where enforcement of these controls is not dependent on on-premises resources and access. Intune configuration profiles are the way to transition these security controls to the cloud.

-It is important to understand that these security baselines are not CIS or NIST compliant but closely mirror their recommendations. For more information, see [Are the Intune security baselines CIS or NIST compliant?](/mem/intune/protect/security-baselines#are-the-intune-security-baselines-cis-or-nist-compliant)

-To benefit from the latest data on risks and threats and to minimize conflicts as baselines evolve, always apply the latest versions of the baselines across all products as soon as they are released.

-I am currently a Principal Technical Specialist in our Retail and Consumer Goods team, focusing on Security & Compliance. I have worked with customers moving to Office 365 for the past ten years. I've worked with smaller shops with a handful of locations to government agencies and enterprises with millions of users distributed around the world, and many other customers in between, with the majority having tens of thousands of users, multiple locations in various parts of the world, the need for a higher degree of security, and a multitude of compliance requirements. I have helped hundreds of enterprises and millions of users move to the cloud safely and securely.

-No matter how many times it happens, it never fails to amaze me how *creative* security teams and networking teams try to get with how they think they should connect to Microsoft cloud services. There's always some security policy, compliance standard, or better way they insist on using, without being willing to engage in a conversation about what it is they are trying to accomplish, or *how* there are better, easier, more cost-effective, and more performant ways of doing so.

-When this sort of thing is escalated to me, I'm usually willing to take the challenge and walk them through the hows and the whys and get them to where they need to be. But if I am being completely frank, I have to share that sometimes I want to just let them do what they will, and come back to say I told you so when they finally concede it doesn't work. I may want to do that sometimes, but I *don't*. What I do is try to explain all of what I am going to include in this post. Regardless of your role, if your organization wants to use Microsoft cloud services, there's probably some wisdom in what follows that can help you out.

-Let's start with some ground rules around what we're doing here. We are discussing how to securely connect to cloud services to ensure the minimum complexity, and the maximum performance, while maintaining real security. None of what follows is counter to any of that, even if you, or your customer, won't get to use your favorite proxy server for everything.

-Very few customers are deploying greenfield environments, and they have years of experience with how their users work and what their Internet egress is like. Whether customers have proxy servers or allow direct access and simply NAT outbound traffic, they've been doing it for years and don't consider just how much more they are going to start pumping through their edge as they move traditionally internal applications out to the cloud.

-One of the first things to consider is whether to proxy users' connections to Office 365. That one's easy; do not proxy. Office 365 is accessed over the Internet, but it is not THE Internet. It's an extension of your core services and should be treated as such. Anything you might want a proxy to do, such as DLP or antimalware or content inspection, is already available to you in the service, and can be used at scale and without needing to crack TLS-encrypted connections. But if you really want to proxy traffic that you cannot otherwise control, pay attention to our guidance at [https://aka.ms/pnc](../enterprise/microsoft-365-network-connectivity-principles.md) and the categories of traffic at [https://aka.ms/ipaddrs](../enterprise/urls-and-ip-address-ranges.md). We have three categories of traffic for Office 365. Optimize and Allow really should go direct and bypass your proxy. Default can be proxied. The details are in those docs...read them.

-Most customers who insist on using a proxy, when they actually look at what they are doing, come to realize that when the client makes an HTTP CONNECT request to the proxy, the proxy is now just an expensive extra router. The protocols in use such as MAPI and RTC are not even protocols that web proxies understand, so even with TLS cracking you're not really getting any extra security. You *are* getting extra latency. See [https://aka.ms/pnc](../enterprise/microsoft-365-network-connectivity-principles.md) for more on this, including the Optimize, Allow, and Default categories for Microsoft 365 traffic.

-TLS Inspection means SECURITY! But not really! Many customers with proxies want to use them to inspect all traffic, and that means TLS "break and inspect." When you do that for a website accessed over HTTPS (privacy concerns notwithstanding) your proxy may have to do that for 10 or even 20 concurrent streams for a few hundred milliseconds. If there's a large download or maybe a video involved, one or more of those connections may last much longer, but on the whole, most of those connections establish, transfer, and close very quickly. Doing break and inspect means the proxy must do double the work. For each connection from the client to the proxy, the proxy must also make a separate connection back to the endpoint. So, 1 becomes 2, 2 becomes 4, 32 becomes 64...see where I am going? You probably sized your proxy solution just fine for typical web surfing, but when you try to do the same thing for client connections to Office 365, the number of concurrent, long-lived connections may be orders of magnitude greater than what you sized for.

-Forcing a TLS connection, or 32 of them, to go over a VPN before they then go to the service doesn't add security. It does add latency and reduces overall throughput. In some VPN solutions, it even forces UDP to tunnel through TCP, which again will have a very negative impact on streaming traffic. And, unless you are doing TLS inspection, there's no upside, all downside. A very common theme among customers, now that most of their workforce is remote, is that they're seeing significant bandwidth and performance impacts from making all their users connect using a VPN, instead of configuring split tunneling for access to [Optimize category Office 365 endpoints](../enterprise/microsoft-365-network-connectivity-principles.md#new-office-365-endpoint-categories).