Forum Widgets
Latest Discussions
Do XDR Alerts cover the same alerts available in Alert Policies?
The alerts in question are the 'User requested to release a quarantined message', 'User clicked a malicious link', etc. About 8 of these we send to 'email address removed for privacy reasons'. That administrator account has an EOM license, so Outlook rules can be set. We set rules to forward those 8 alerts to our 'email address removed for privacy reasons' address. This is, very specifically, so the alert passes through the @tenant.com address, and our ticketing endpoint knows what tenant sent it. But this ISN'T ideal because it requires an EOP license (or similar - this actually hasn't been an issue until now just because of our customer environments). I've looked at the following alternatives: - Setting email address removed for privacy reasons as the recipient directly on the Alert Policies in question. This results in the mail going directly from microsoft to our Ticketing Portal - so it ends up sorted into Microsoft tickets. and the right team doesn't get it. SMTP Forwarding via either Exchange AC User controls or Mail Flow Rules. But these aren't traditional forwarding, and they have the same issue as above. Making administrator @tenant.com a SHARED mailbox that we can also login to (for administration purposes). But this doesn't allow you to set Outlook rules (or even login to Outlook). I've checked out the newer alerts under Defender's Settings panel - XDR alerts, I think they're called. Wondering if these can be leveraged at all for this? Essentially, trying to get these Alerts to come to our external ticketing address, from the tenants domain (instead of Microsoft). I could probably update Autotask's rules to check for a header, and set that header via Mail Flow rules, but.. just hoping I don't have to do that for everyone.Impersonation Protection: Users to Protect should also be Trusted Senders
Hey all, sort of a weird question here. Teaching my staff about Impersonation Protection, and it's kind of occurred to me that any external sender added to 'Senders to Protect' sort of implicitly should also be a 'Trusted Sender'. Example - we're an MSP, and we want our Help Desk (email address removed for privacy reasons) to be protected from impersonation. Specifically, we want to protect the 'Help Desk' name. So we add email address removed for privacy reasons to Senders to protect. However, we ALSO want to make sure our emails come thru. So we've ALSO had to add email address removed for privacy reasons to Trusted Senders on other tenants. Chats with Copilot have sort of given me an understanding that this is essentially a 'which is more usefuI' scenario. But CoPilot makes things up, and I want some human input. In theory, ANYONE we add to 'trusted senders' we ALSO want protected from Impersonation. Anyone we protect from Impersonation we ALSO want to trust. Copilot says you SHOULDN'T do both. Which is better / more practical?
I would like to know the complete list of alerts whose serviceSource is MDO
Hi all In order to determine the alerts that should be monitored by the SOC, I would like to identify, from the alerts listed at the link below, those whose serviceSource is Microsoft Defender for Office 365 (MDO). https://learn.microsoft.com/en-us/defender-xdr/alert-policies I couldn’t find where this is documented, no matter how thoroughly I searched, so I would appreciate it if you could point me to the relevant documentation. thx
Defender for iOS: “This account has reached its devices limit” even though no devices are listed
I am using all 5 devices available (2 PC's, 1 Mac, 2 IOS devices) I was trying to install Microsoft Defender for IOS on a new iPhone created by copying from the old phone (iPhone 11) to the new phone (iPhone 17). I erased my old iPhone 11 while Defender was still installed My Microsoft account shows zero mobile devices (none were linked to my MS account) Defender on the new iPhone never completed sign‑in with my MS account “Sign out everywhere” and app removal didn’t help (also app removal, restart IOS device, reinstall Defender for IOS) You suspect a stuck Defender mobile enrollment token You need Microsoft to reset the backend mobile device slot From Office Copilot: What to tell the agent (so you don’t get bounced) Use this exact wording: “Microsoft Defender for iOS says ‘This account has reached its devices limit’ even though no devices appear in my Microsoft account. My old iPhone was erased while Defender was still signed in. I need my Defender mobile device enrollment reset.” This sends them straight to the backend reset tool. Why this works when everything else doesn’t The issue isn’t on your devices or in your account UI — it’s a server-side Defender mobile quota flag that only Microsoft support can clear. The consumer Defender team (under Microsoft 365 support) is the only group with access to that system.
I have absolutely no idea what Microsoft Defender 365 wants me to do here
The process starts with an emal: There's more below on the email - an offer for credit monitoring, an option to add another device, an option to download the mobile app - but I don't want to do any of the, so I click on the "Open Defender" button, which results in this: OK, so my laptop is the bad boy here, there's that Status not of "Action recommended", with no "recommendations" and the only live link here is "Add device", something I don't need to do. The only potential "problem" I can even guess at here is that Microsoft is telling me that the laptop needs updating. Since I seldom use the laptop, only when traveling, I'd guess the next time I'd fire it up the update will occur, but of course I really don't know that's the recommended action it's warning me about, do I? You'd expect that if something is warning you "ACTION NEEDED!!!" they'd be a little more explicit, wouldn't you?Tenant Forwarding - Trusted ARC Sealer
As part of a tenant to tenant migration we often need to forward mail from one tenant to another. This can cause some issues with email authentication verdicts on the destination tenant. Is it possible or best practice to configure another tenant as a Trusted ARC sealer to help with forwarded email deliverability?License question
Hello, From what I've read, if I have 10 licensed (Defender for Office 365) users, each with their own mailbox and an additional shared mailbox connected, I only need to license those 10 users (the shared mailbox doesn't need to be licensed additionally). However, I don't see such a provision in the licensing agreements themselves. If I understand this correctly, can someone point me to the relevant clause in the agreement? Does a shared mailbox that no one uses require a Defender license (if the organization uses Defender for Office 365 licenses)? thx.Secure Score rec. out of date - Entra consent settings
TLDR: 1. SecureScore recommendation for user consent settings does not match the User Consent settings recommendation. 2. Also, the recommendation on User Consent page is not described in a sensible way. This recommendation - Ensure user consent to apps accessing company data on their behalf is not allowed - instructs people to set the Consent Settings to 'Allow users to consent to low-level permissions', and select the low-level permissions. Optionally, to also set up admin workflow. This is the SecureScore recommended process we've been using. It was bugged, so we'd set it to 'Resolved by ____' usually once completed. It looks like this is fixed and now properly shows Completed (from testing, the manual resolve statuses aren't overwritten by the automatic completion - it'll wait until those are set to something else to update it to completed. Anyway,, that's not the issue. Recently noticed on the actual Consent blade, it shows that the recommendation is Microsoft-managed. I've never noticed this before - i believe it's new. So now it's kinda unclear what's ACTUALLY recommended. Reading the associated KB, it is described currently as 'end users can consent for any user consentable delegated permissions EXCEPT: Files.Read.All, Files.ReadWrite.All, Sites.Read.All, Sites.ReadWrite.All.'. But it doesn't actually describe what are 'user consentable' is... is that whatever 'low impact' permissions you set? is it something completely different? So the options are 1. Users can't consent 2. Users can consent to permissions you deem low-risk 3. Users can consent to permissions users can consent to, but not these x There isn't a feedback button on SecureScore.
user-reported phishing emails
Dear Community I have a technical question regarding user-reported emails. In Defender, under “Action and Submissions” -> “Submissions,” I can see the emails that users have reported under the “user reported” option. There, we have the option to analyze these emails and mark them as “no threats found,” “phishing,” or “spam.” The user is then informed. Question: Do these reported emails remain in the user's inbox when they report them? If not, do we have the option to return these reported emails to the user's inbox with the “No threats found” action? Because I don't see this option. In another tenant, under “Choose response Action,” I see “move or delete,” but the “inbox” option is grayed out. Why is that? Thank you very much!
