+> The information in this article only applies to the [Microsoft 365 Copilot Early Access Program](https://www.microsoft.com/microsoft-365/blog/2023/05/09/introducing-the-microsoft-365-copilot-early-access-program-and-new-capabilities-in-copilot/), an invite-only preview program for commercial customers. Details are subject to change.

+Before you can access Copilot, you must meet these requirements:

+- The following applications must be deployed for your users, which seamlessly integrate with Microsoft 365 Copilot and other applications:

+ - Word

+ - Excel

+ - PowerPoint

+ - Outlook

+ - Microsoft Teams

+ - OneDrive

+ - SharePoint

+ - Exchange

+

+To get started with the implementation process, see [Deployment guide for Microsoft 365 Apps](/deployoffice/deployment-guide-microsoft-365-apps).

+> This note only applies to Microsoft 365 Apps for enterprise subscribers. Your users must be on the Current Channel to access Copilot. To learn more, see [update channels for Microsoft 365 Apps](/deployoffice/updates/overview-update-channels#current-channel-overview).

+## More resources

+- [Microsoft 365 Copilot setup guide](https://go.microsoft.com/fwlink/p/?linkid=2243702)

+- [Microsoft 365 AI help and learning](https://support.microsoft.com/copilot)

+- [Microsoft 365 Copilot - Microsoft Community Hub](https://techcommunity.microsoft.com/t5/microsoft-365-copilot/ct-p/Microsoft365Copilot)

+ Title: "Manage self-service license requests in the Microsoft 365 admin center"

+description: "Learn how to review and approve or deny license requests for products and services from users in the Microsoft 365 admin center."

+# Manage self-service license requests in the Microsoft 365 admin center

+> The information in this article only applies to self-service purchased products and services. To learn more, see [Self-service purchase FAQ](../subscriptions/self-service-purchase-faq.yml).

+If you turn-off self-service purchases in your organization, you can set up license requests in the Microsoft 365 admin center to manage the license request process for your users. When a user tries to make a self-service purchase for a product that you've blocked, they can submit a request for a license to you, the admin. When they make a request, they can add the names of other users who also need licenses for the product.

+To see and manage license requests, use the **Requests** tab on the **Licensing** page in the admin center. The list shows the name of the product requested, name of the person requesting a license, date requested, and status of the request. You can filter the list to show requests that are pending or completed. Requests are held for 30 days.

+You must be a global, billing, or license admin to perform the tasks in this article. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).

+> [!NOTE]

+> If you're the person who signed up for the subscription, you're automatically a global admin.

+If your organization has its own request process, you can use it instead. You create a message to display to users when they request a license.

+1. In the Microsoft 365 admin center, select the **Navigation menu**, then select **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842264" target="_blank">Licenses</a>.

+2. On the **Licenses** page, select the **Requests** tab, then select **Use your existing request process instead**.

+3. In the **Use your request process** pane, select the **Use my organization's request process** check box.

+4. In the **Message** box, type the message you want users to see when they request a license. If you want to also include a link to your organizations policy or other documentation, enter the URL in the **Link to documentation (optional)** text box.

+5. Select **Save**.

+1. In the admin center, select the **Navigation menu**, then select **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842264" target="_blank">Licenses</a>.

+2. On the **Licenses** page, select the **Requests** tab, then select **Use your existing request process instead**.

+3. In the **Use your request process** pane, clear **Use my organization's request process** check box.

+1. In the admin center, select the **Navigation menu**, then select **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842264" target="_blank">Licenses</a>.

+2. On the **Licenses** page, select the **Requests** tab.

+3. Select the row that contains the request you want to review. The side pane shows details about which users want licenses to the product.

+ - To deny the entire request, select **Don't approve**, and in the dialog box, select **Don't approve**.

+ - To deny some users but approve others, select the X by the name of the users that you want to remove. Their names are moved under **Do not assign to these users**.

+4. If you have more than one product, under **Select a product**, select the one that you want to use to assign licenses for.

+5. To deny users access to certain app and services, expand **Turn apps and services on or off**, then clear the check boxes for the ones that you want to exclude.

+6. At the bottom of the pane, type an optional message in the text box.

+7. When you're finished, select **Approve**. The pane shows the details of the request.

+8. Close the pane. Users receive an email that says their request was approved or denied.

+## Share a license request by email

+If you donΓÇÖt have the authority within your organization to make decisions about who can receive a license for a particular product or service, you can share a license request via email with someone in your organization who does. You can only share one request at a time. The person who receives the license request email doesnΓÇÖt need access to the Microsoft 365 admin center to review the request. They simply respond to the email and indicate whether the person should be given the license they requested, and then you [approve or deny the request](#approve-or-deny-a-license-request).

+1. In the admin center, select the **Navigation menu**, then select **Billing** > **Licenses**.

+2. On the **Licenses** page, select the <a href="https://go.microsoft.com/fwlink/p/?linkid=2245727" target="_blank">Auto-claim policy</a> tab.

+3. Select the **Share request** tab, then select a request to share.

+4. In the request pane, select **Share request**.

+5. In the **Share license request details** pane, type an email address, then select the recipient name.

+ > [!NOTE]

+ > You can select more than one recipient, but if the email that you entered doesnΓÇÖt resolve into a user name, you canΓÇÖt share the request.

+6. To personalize the email, select the **Include a personalized message** check box. Type a **Subject** and **Message** in the corresponding fields.

+7. When youΓÇÖre finished, select **Share request**.

+ |**ActionType**|Whether you're adding or removing the user from the team. Options are `AddMember` and `RemoveMember`.|

+ |**Owner or Member**|Whether the user is a team owner or team member. Options are `Owner` and `Member`.|

+|Avery Howard|averyh@contoso.com|Contoso Store 1|`AddMember`|`Owner`|

+|Casey Jensen|caseyj@contoso.com|Contoso Store 2|`AddMember`|`Owner`|

+|Jessie Irwin|jessiei@contoso.com|Contoso Store 3|`AddMember`|`Owner`|

+|Manjeet Bhatia|manjeetb@contoso.com|Contoso Store 4|`AddMember`|`Owner`|

+|Mikaela Lee|mikaelal@contoso.com|Contoso Store 5|`AddMember`|`Owner`|

+|Morgan Conners|morganc@contoso.com|Contoso Store 6|`AddMember`|`Member`|

+|Oscar Ward|oscarw@contoso.com|Contoso Store 7|`AddMember`|`Member`|

+|Rene Pelletier|renep@contoso.com|Contoso Store 8|`AddMember`|`Member`|

+|Sydney Mattos|sydneym@contoso.com|Contoso Store 9|`AddMember`|`Member`|

+|Violet Martinez|violetm@contoso.com|Contoso Store 10|`AddMember`|`Member`|

+description: Learn about security plans available for small and medium-sized businesses.

+Microsoft offers a wide variety of cloud solutions and services, including plans for small and medium-sized businesses. For example, [Microsoft 365 Business Premium](../../business/microsoft-365-business-overview.md) includes security and device-management capabilities, along with productivity features such as Office apps. This article describes the security features in Microsoft 365 Business Premium, Microsoft Defender for Business, and [Microsoft Defender for Endpoint](../defender-endpoint/microsoft-defender-endpoint.md).

+> Defender for Business is available as a standalone security solution for small and medium-sized businesses. Defender for Business is also included in Microsoft 365 Business Premium, along with additional security capabilities. If you already have Microsoft 365 Business Basic or Standard, consider either upgrading to Microsoft 365 Business Premium or adding Defender for Business to your current subscription to get more threat protection capabilities for your organization.

+| [Autoexpanding archiving](../../compliance/autoexpanding-archiving.md) (for email) | | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: |

+- [Learn more about Microsoft 365 Business Premium](../../business-premium/index.md)

+- **[Portals that you use](#portals-you-use-for-setup-and-management)** to set up, configure, and manage Defender for Business

+3. In the [Microsoft 365 Defender portal](https://security.microsoft.com), in the navigation bar, go to **Assets** > **Devices**. This action initiates the provisioning of Defender for Business for your tenant. You know this process has started when you see a message like what's displayed in the following screenshot:

+4. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), where you view and manage security settings and devices for your organization. In the navigation bar, go to **Assets** > **Devices**. This action initiates the provisioning of Defender for Business for your tenant.

+4. Review the information, and complete the purchase process. You need one Microsoft Defender for Business servers license for each instance of Windows Server or Linux, and you don't assign that license to users or devices.

+## Portals you use for setup and management

+When you use Defender for Business, you work with two main portals:

+- The Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com))

+- The Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com))

+If your subscription also includes Microsoft Intune, you use the Intune admin center ([https://intune.microsoft.com](https://intune.microsoft.com)) as well. The following table summarizes these portals and how you use them.

+| The Microsoft 365 admin center ([https://admin.microsoft.com/](https://admin.microsoft.com/)) | Use the Microsoft 365 admin center to activate your trial and sign in for the first time. You can also use the Microsoft 365 admin center to: <br/>- Add or remove users.<br/>- Assign user licenses.<br/>- View your products and services.<br/>- Complete setup tasks for your Microsoft 365 subscription.<br/><br/>To learn more, see [Overview of the Microsoft 365 admin center](../../admin/admin-overview/admin-center-overview.md). |

+| The Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) | Use the Microsoft 365 Defender portal to set up and configure Defender for Business, and to monitor your devices and threat detections. You use the Microsoft 365 Defender portal to: <br/>- View your devices and device protection policies.<br/>- View detected threats and take action.<br/>- View security recommendations and manage your security settings.<br/><br/>To learn more, see [Get started using the Microsoft 365 Defender portal](mdb-get-started.md). |

+- tier3

+| **Incidents & alerts** > **Incidents** | Takes you to your list of recent incidents. As alerts are triggered, incidents are created. An incident can include multiple alerts. Make sure to review your incidents regularly. To learn more, see [View and manage incidents in Defender for Business](mdb-view-manage-incidents.md).|

+| **Partner catalog** | Lists Microsoft partners who provide technical and professional services. |

+2. Notice cards on the Home page. These cards were designed to tell you at a glance how many threats were detected, how many user accounts, and what endpoints (devices) or other assets were affected. The following image is an example of cards you might see:

+As threats are detected and alerts are triggered, incidents are created. Your company's security team can view and manage incidents in the Microsoft 365 Defender portal. You must have appropriate permissions assigned to perform the tasks in this article. See [Security roles and permissions in Microsoft Defender for Business](mdb-roles-permissions.md).

+1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, go to **Incidents & alerts**, and then select **Incidents**. Any incidents that were created are listed on the page.

+> Defender for Business is designed to help you address detected threats by recommeding actions you can take. When you view an alert, look for these suggestions. Also notice the alert severity, which is determined not only on the basis of the detected threat severity, but also on the level of risk to your company.

+When a threat is detected, a severity level is assigned to each alert that is generated.

+- Microsoft Defender Antivirus assigns an alert severity based on the absolute severity of a detected threat (such as malware) and the potential risk to an individual endpoint (if infected).

+- Defender for Business assigns an alert severity based on the severity of the detected behavior, the actual risk to an endpoint (device), and more importantly, the potential risk to your company.

+The following table lists a few examples of alerts and their severity levels:

+ |`DefenderOpenNetworkDetection`|0| 1 - Audit, 0 - Disable (default), 2 - Enable. This setting is managed by an IT admin to enable, audit, or disable open network detection. In Audit mode, alerts will be sent only to the ATP portal with no user side experience. For user experience, set the config to "Enable" mode.|

+ - Configuration Value: `{{issupervised}}`

+> - While Windows 10 IoT Enterprise is a supported OS in Microsoft Defender for Endpoint and enables OEMs/ODMs to distribute it as part of their product or solution, customers should follow the OEM/ODM's guidance around host-based installed software and supportability.

+> - Requires the use of the [Log Analytics](/azure/azure-monitor/agents/log-analytics-agent)/Microsoft Monitoring Agent (MMA).

+#### Settings catalog

+You can create a new settings catalog profile to add the Tamper protection configuration, or you can add it to an existing one. The setting "Enforcement level" can be found under category "Microsoft Defender" and subcategory "Tamper protection". Afterwards, choose the desired level.

+#### Custom profile

+As an alternative, you can also configure Tamper protection via a custom profile. For more information, see [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md).

+> For Intune configuration, you can create a new profile configuration file to add the Tamper protection configuration, or you can add these parameters to the existing one. Choose the desired level.

+#### Check status

+| Browser | Your organization's devices must be running one of the following browsers: <br/>- Microsoft Edge<br/>- Google Chrome<br/>- Mozilla FireFox<br/>- Brave<br/>- Opera<br/>- Internet Explorer|

+| Parent category | Child categories |

+|||

+| **Adult content** | - **Cults**: Sites related to groups or movements whose members demonstrate passion for a belief system that is different from those that are socially accepted.<br/><br/>- **Gambling**: Online gambling and sites that promote gambling skills and practice.<br/><br/>- **Nudity**: Sites that provide full-frontal and semi-nude images or videos, typically in artistic form, and might allow the download or sale of such materials.<br/><br/>- **Pornography / Sexually explicit**: Sites containing sexually explicit content in an image-based or textual form. Any form of sexually oriented material is also listed here.<br/><br/>- **Sex education**: Sites that discuss sex and sexuality in an informative and non-voyeuristic way, including sites that provide education about human reproduction and contraception, sites that offer advice on preventing infection from sexual diseases, and sites that offer advice on sexual health matters.<br/><br/>- **Tasteless**: Sites oriented towards content unsuitable for school children to view or that an employer would be uncomfortable with their staff accessing, but not necessarily violent or pornographic.<br/><br/>- **Violence**: Sites that display or promote content related to violence against humans or animals. |

+| **High bandwidth** | - **Download sites**: Sites whose primary function is to allow users to download media content or programs, such as computer programs.<br/><br/>- **Image sharing**: Sites that are used primarily for searching or sharing photos, including those that have social aspects.<br/><br/>- **Peer-to-peer**: Sites that host peer-to-peer (P2P) software or facilitate the sharing of files using P2P software.<br/><br/>- **Streaming media & downloads**: Sites whose primary function is the distribution of streaming media, or sites that allow users to search, watch, or listen to streaming media. |

+| **Legal liability** | - **Child abuse images**: Sites that include child abuse images or pornography.<br/><br/>- **Criminal activity**: Sites that give instruction on, advice about, or promotion of illegal activities.<br/><br/>- **Hacking**: Sites that provide resources for illegal or questionable use of computer software or hardware, including sites that distribute copyrighted material that has been cracked.<br/><br/>- **Hate & intolerance**: Sites promoting aggressive, degrading, or abusive opinions about any section of the population that could be identified by race, religion, gender, age, nationality, physical disability, economic situation, sexual preferences or any other lifestyle choice.<br/><br/>- **Illegal drug**: Sites that sell illegal/controlled substances, promote substance abuse, or sell related paraphernalia.<br/><br/>- **Illegal software**: Sites that contain or promote the use of malware, spyware, botnets, phishing scams, or piracy & copyright theft.<br/><br/>- **School cheating**: Sites related to plagiarism or school cheating.<br/><br/>- **Self-harm**: Sites that promote self-harm, including cyberbullying sites that contain abusive and/or threatening messages towards users.<br/><br/>- **Weapons**: Any site that sells weapons or advocates the use of weapons, including but not limited to guns, knives, and ammunition. |

+| **Leisure** | - **Chat**: Sites that are primarily web-based chat rooms.<br/><br/>- **Games**: Sites relating to video or computer games, including sites that promote gaming through hosting online services or information related to gaming.<br/><br/>- **Instant messaging**: Sites that can be used to download instant messaging software or client based instant messaging.<br/><br/>- **Professional network**: Sites that provide professional networking services.<br/><br/>- **Social networking**: Sites that provide social networking services.<br/><br/>- **Web-based email**: Sites offering web-based mail services. |

+| **Uncategorized** | - **Newly registered domains**: Sites that have been newly registered in the past 30 days and have not yet been moved to another category.<br/><br/>- **Parked domains**: Sites that have no content or are parked for later use. |

+> [!NOTE]

+> Uncategorized contains only newly registered domains and parked domains, and does not include all other sites outside of these categories.

+> - There might be up to 2 hours of latency between the time a policy is created and when it's enforced on the device.

+> - You can deploy a policy without selecting any category on a device group. This action creates an audit-only policy to help you understand user behavior before creating a block policy.

+> - If you are removing a policy or changing device groups at the same time, there could be a delay in policy deployment.

+A panel opens where you can select the priority and add more details such as the suggested category for recategorization. Once you complete the form, select **Submit**. Our team will review the request within one business day. For immediate unblocking, create a [custom allow indicator](indicator-ip-domain.md).

+- [What's new in Defender for Endpoint on Android](android-whatsnew.md)

+- [What's new in Defender for Endpoint on iOS](ios-whatsnew.md)

+ Scopes = 'https://graph.microsoft.com/User.Read.All','https://graph.microsoft.com/Files.ReadWrite','https://api.securitycenter.windows.com/AdvancedQuery.Read'

+ - **Domains**: All recipients in the organization with a primary email address in the specified [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains).

+ - **Domains**: One or more of the configured [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in Microsoft 365. The recipient's primary email address is in the specified domain.

+ - **Domains**: All recipients in the organization with a primary email address in the specified [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains).

+ - **Domains**: All recipients in the organization with a primary email address in the specified [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains).

+ - **Domains**: All recipients in the organization with a primary email address in the specified [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains).

+After an attacker gains access to your organization, they try to establish a foothold to stay in or get back in after they're discovered. This activity is called *establishing a persistence mechanism*. There are two ways that an attacker can use Outlook to establish a persistence mechanism:

+Reinstalling Outlook, or even giving the affected person a new computer doesn't help. When the fresh installation of Outlook connects to the mailbox, all rules and forms are synchronized from the cloud. The rules or forms are typically designed to run remote code and install malware on the local machine. The malware steals credentials or performs other illicit activity.

+The good news is: if you keep Outlook clients patched to the latest version, you aren't vulnerable to the threat as current Outlook client defaults block both mechanisms.

+Users are unlikely to notice these persistence mechanisms and they might even be invisible to them. The following list describes the signs (Indicators of Compromise) that indicate remediation steps are required:

+- Use the [Get-AllTenantRulesAndForms.ps1](https://github.com/OfficeDev/O365-InvestigationTooling/blob/master/Get-AllTenantRulesAndForms.ps1) PowerShell script to automatically dump all the mail forwarding rules and custom forms for all the users in your organization. This method is the fastest and safest with the least amount of overhead.

+ > [!NOTE]

+ > As of January 2021, the script (and everything else in the repository) is read-only and archived. Lines 154 to 158 attempt to connect to Exchange Online PowerShell using a method that's no longer supported due to the [deprecation of remote PowerShell connections](https://techcommunity.microsoft.com/t5/exchange-team-blog/deprecation-of-remote-powershell-in-exchange-online-re-enabling/ba-p/3779692) in July 2023. Remove lines 154 to 158 and [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) before you run the script.

+3. Open the now visible developer tab in Outlook and select **design a form**.

+5. Investigate any custom forms, especially forms marked as hidden.

+6. Open any custom forms and in the **Form** group, select **View Code** to see what runs when the form is loaded.

+The simplest way to verify a rules or custom forms attack is to run the [Get-AllTenantRulesAndForms.ps1](https://github.com/OfficeDev/O365-InvestigationTooling/blob/master/Get-AllTenantRulesAndForms.ps1) PowerShell script. This script connects to every mailbox in your organization and dumps all the rules and forms into two .csv files.

+#### Prerequisites

+You need to be a member of the Global Administrator role in [Azure Active Directory](../../admin/add-users/about-admin-roles.md) or the Organization Management role group in [Exchange Online](/exchange/permissions-exo/permissions-exo), because the script connects to every mailbox in the organization to read rules and forms.

+1. Use an account with local administrator rights to sign in to the computer where you intend to run the script.

+2. Download or copy the contents of the **Get-AllTenantRulesAndForms.ps1** script from GitHub to a folder that's easy to find and run the script from. The script creates two date stamped files in the folder: `MailboxFormsExport-yyyy-mm-dd.csv` and `MailboxRulesExport-yyyy-mm-dd.csv`.

+ Remove lines 154 to 158 from the script, because that connection method no longer works as of July 2023.

+3. [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell).

+4. Navigate in PowerShell to the folder where you saved the script, and then run the following command:

+ ```powershell

+ .\Get-AllTenantRulesAndForms.ps1

+ ```

+#### Interpreting the output

+- **MailboxRulesExport-*yyyy-mm-dd*.csv**: Examine the rules (one per row) for action conditions that include applications or executables:

+ - **ActionType (column A)**: The rule is likely malicious if this column contains the value `ID_ACTION_CUSTOM`.

+ - **IsPotentiallyMalicious (column D)**: The rule is likely malicious if this column contains the value `TRUE`.

+ - **ActionCommand (column G)**: The rule is likely malicious if this column contains any of the following values:

+ - An application.

+ - An .exe or .zip file.

+ - An unknown entry that refers to a URL.

+- **MailboxFormsExport-*yyyy-mm-dd*.csv**: In general, the use of custom forms is rare. If you find any in this workbook, open that user's mailbox and examine the form itself. If your organization didn't put it there intentionally, it's likely malicious.

+If you find any evidence of either of these attacks, remediation is simple: just delete the rule or form in the mailbox. You can delete the rule or form using the Outlook client or using Exchange PowerShell.

+1. Identify all devices where the user has used Outlook. They all need to be cleaned of potential malware. Don't allow the user to sign on and use email until all devices have been cleaned.

+2. On each device, follow the steps in [Delete a rule](https://support.microsoft.com/office/2f0e7139-f696-4422-8498-44846db9067f).

+4. Install the most up-to-date versions of Outlook. Remember, current version of Outlook blocks both types of this attack by default.

+5. Once all offline copies of the mailbox have been removed, do the following steps:

+ - Reset the user's password using a high quality value (length and complexity).

+ - If multi-factor authentication (MFA) isn't turned on for the user, follow the steps in [Setup multi-factor authentication for users](../../admin/security-and-compliance/set-up-multi-factor-authentication.md)

+ These steps ensure that the user's credentials aren't exposed via other means (for example, phishing or password reuse).

+Connect to the required Exchange PowerShell environment:

+- **Mailboxes on on-premises Exchange servers**: [Connect to Exchange servers using remote PowerShell](/powershell/exchange/connect-to-exchange-servers-using-remote-powershell) or [Open the Exchange Management Shell](/powershell/exchange/open-the-exchange-management-shell).

+- **Mailboxes in Exchange Online**: [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell).

+After you connect to the required Exchange PowerShell environment, you can take the following actions on Inbox rules in user mailboxes:

+- **View Inbox rules in a mailbox**:

+ - **View a summary list of all rules**

+ ```powershell

+ Get-InboxRule -Mailbox laura@contoso.onmicrosoft.com

+ ```

+ - **View detailed information for a specific rule**:

+ ```powershell

+ Get-InboxRule -Mailbox laura@contoso.onmicrosoft.com -Identity "Suspicious Rule Name" | Format-List

+ ```

+ For detailed syntax and parameter information, see [Get-InboxRule](/powershell/module/exchange/get-inboxrule).

+- **Remove Inbox rules from a mailbox**:

+ - **Remove a specific rule**:

+ ```powershell

+ Remove-InboxRule -Mailbox laura@contoso.onmicrosoft.com -Identity "Suspicious Rule Name"

+ ```

+ - **Remove all rules**:

+ ```powershell

+ Get-InboxRule -Mailbox laura@contoso.onmicrosoft.com | Remove-InboxRule

+ ```

+ For detailed syntax and parameter information, see [Remove-InboxRule](/powershell/module/exchange/remove-inboxrule).

+- **Turn off an Inbox rule for further investigation**:

+ ```powershell

+ Disable-InboxRule -Mailbox laura@contoso.onmicrosoft.com -Identity "Suspicious Rule Name"

+ ```

+ For detailed syntax and parameter information, see [Disable-InboxRule](/powershell/module/exchange/disable-inboxrule).

+### First: protect accounts

+The Rules and Forms exploits are only used by an attacker after they've stolen or breached a user's account. So, your first step to preventing the use of these exploits against your organization is to aggressively protect user accounts. Some of the most common ways that accounts are breached are through phishing or [password spray attacks](https://www.microsoft.com/security/blog/2020/04/23/protecting-organization-password-spray-attacks/).

+The best way to protect user accounts (especially admin accounts) is to [set up MFA for users](../../admin/security-and-compliance/set-up-multi-factor-authentication.md). You should also:

+- Monitor how user accounts are [accessed and used](/azure/active-directory/active-directory-view-access-usage-reports). You may not prevent the initial breach, but you can shorten the duration and the effects of the breach by detecting it sooner. You can use these [Office 365 Cloud App Security policies](/cloud-app-security/what-is-cloud-app-security) to monitor accounts and alert you to unusual activity:

+ - **Multiple failed login attempts**: Triggers an alert when users perform multiple failed sign in activities in a single session with respect to the learned baseline, which could indicate an attempted breach.

+ - **Impossible travel**: Triggers an alert when activities are detected from the same user in different locations within a time period that's shorter than the expected travel time between the two locations. This activity could indicate that a different user is using the same credentials. Detecting this anomalous behavior necessitates an initial learning period of seven days to learn a new user's activity pattern.

+ - **Unusual impersonated activity (by user)**: Triggers an alert when users perform multiple impersonated activities in a single session with respect to the baseline learned, which could indicate an attempted breach.

+### Second: Keep Outlook clients current

+Fully updated and patched versions of Outlook 2013, and 2016 disable the "Start Application" rule/form action by default. Even if an attacker breaches the account, the rule and form actions are blocked. You can install the latest updates and security patches by following the steps in [Install Office updates](https://support.microsoft.com/office/2ab296f3-7f03-43a2-8e50-46de917611c5).

+Here are the patch versions for Outlook 2013 and 2016 clients:

+### Third: Monitor Outlook clients

+Even with the patches and updates installed, it's possible for an attacker to change the local machine configuration to reenable the "Start Application" behavior. You can use [Advanced Group Policy Management](/microsoft-desktop-optimization-pack/agpm/) to monitor and enforce local machine policies on client devices.

+Look for the key `EnableUnsafeClientMailRules`:

+- If the value is 1, the Outlook security patch has been overridden and the computer is vulnerable to the Form/Rules attack.

+- If the value is 0, the "Start Application" action is disabled.

+- If the registry key isn't present and the updated and patched version of Outlook is installed, then the system isn't vulnerable to these attacks.

+ - **Domains**: All senders in the organization with a primary email address in the specified [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains).

+ - **Domains**: All recipients in the organization with a primary email address in the specified [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains).

+ - **Domains**: All recipients in the organization with a primary email address in the specified [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains).

+ - **Domains**: All recipients in the organization with a primary email address in the specified [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains).

+ - **Domains**: All recipients in the organization with a primary email address in the specified [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains).

+ - **Domains**: All recipients in the organization with a primary email address in the specified [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains).

+ Title: MICROSOFT SYNTEX FEATURES LIMITED TIME LICENSE

+audience: admin

+search.appverid:

+ms.localizationpriority: medium

+description: Read the Microsoft Syntex Features Limited Time License for Syntex features available as a preview for all users.

+# MICROSOFT SYNTEX FEATURES LIMITED TIME LICENSE

+These license terms are an agreement between you and Microsoft Corporation (or one of its affiliates). They apply to the Microsoft Syntex Features described below and do not alter your or MicrosoftΓÇÖs rights relating to the Product Terms ([Microsoft Product Terms](https://www.microsoft.com/licensing/terms/)). IF YOU COMPLY WITH THESE LICENSE TERMS, YOU HAVE THE RIGHTS BELOW. **BY USING THE MICROSOFT SYNTEX FEATURES, INDIVIDUALLY AND COLLECTIVELY YOU ACCEPT THESE TERMS.**

+**MICROSOFT OFFERING - MICROSOFT SYNTEX FEATURES**

+This License governs the limited time use of the following features, individually and collectively, and is referred to as ΓÇ£FeaturesΓÇ¥:

+&emsp;&emsp;i.&ensp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Content Query<br>

+&emsp;&emsp;ii.&ensp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Universal Annotation<br>

+&emsp;&emsp;iii.&emsp;&nbsp;&nbsp;&nbsp;Contracts Accelerator<br>

+&emsp;&emsp;iv.&emsp;&nbsp;&nbsp;&nbsp;Accounts Payable Accelerator<br>

+&emsp;&emsp;v.&emsp;&nbsp;&nbsp;&nbsp;&nbsp;Taxonomy features including: import using SKOS, SKOS formatting reference,<br>&emsp;&emsp;&emsp;&emsp;&nbsp;&nbsp;&nbsp;push content type to hub, and term store reports<br>

+&emsp;&emsp;vi.&emsp;&nbsp;&nbsp;&nbsp;PDF Merge/Split<br>

+&emsp;&emsp;vii.&emsp;&nbsp;&nbsp;PDF Password Protect<br>

+&emsp;&emsp;viii.&emsp;&nbsp;Content Processing: Move or copy a file, set a content type from file name

+**REQUIREMENTS TO ENABLE THE FEATURES**

+&emsp;&emsp;a)&emsp;Customer must have a healthy Azure subscription connected to Microsoft Syntex<br>

+&emsp;&emsp;b)&emsp;A Microsoft 365 tenancy with either Microsoft 365 admin access or SharePoint Online admin access

+**EVALUATION PERIOD**

+This Limited Time License is effective on your acceptance and terminates on the earlier of (i) 30 days following first general availability of a commercial release of the Features in a Microsoft product or a future Microsoft product or (ii) June 30, 2024.

+After the Evaluation Period, Microsoft reserves the right to require an additional SKU for these capabilities. You will not be billed for use during the Evaluation Period.

+**LICENSE**

+The Features are licensed, not sold. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you will not (and have no right to):

+**APPLICABLE LAW AND PLACE TO RESOLVE DISPUTES.**

+If you acquired the software in the United States or Canada, the laws of the state or province where you live (or, if a business, where your principal place of business is located) govern the interpretation of this agreement, claims for its breach, and all other claims (including consumer protection, unfair competition, and tort claims), regardless of conflict of laws principles. If you acquired the software in any other country, its laws apply. If U.S. federal jurisdiction exists, you and Microsoft consent to exclusive jurisdiction and venue in the federal court in King County, Washington for all disputes heard in court. If not, you and Microsoft consent to exclusive jurisdiction and venue in the Superior Court of King County, Washington for all disputes heard in court.

+**LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES.**

+**Except as described herein, the only remedy for claims relating to these Terms is for you to terminate your use of the Features. Neither Party can recover any damages, including direct, consequential, lost profits, special, punitive, indirect or incidental damages from the other. This limitation applies:**

+&emsp;**1.&emsp;To claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law.**<br>

+&emsp;**2.&emsp;Even if one of us knew or should have known about the possibility of the damages.**

+&emsp;**The limitations in this section does not apply to claims arising from or in connection with any infringement, misuse, or misappropriation by one of us of the otherΓÇÖs intellectual property rights.**