Event banner
Event details
57 Comments
- Trevor_Rusher
Community Manager
Thank you all for joining our AMA today! I'll be locking this event to new questions but you should always be able to see all the questions and answers here on this page in perpetuity, so feel free to bookmark. We will also be following up on any existing threads for follow-up questions and answering any other questions that came in before 10AM PST. If you have more questions related to MDO feel free to check out the Defender for Office 365 Discussion Space here on Tech Community!
- If a security operator chooses to set an account to blocked sign-in, can it be possible to prevent AAD Connect from overwriting that status without having to also go into AD and disable the account? I.e. sync the status down to AD.
RossAdamsMicrosoft
Hi Steven, Unfortunately we aren't the right team for this question, however based on what I know from working in the AAD team previously, this may not be possible, in that the next sync will result in the user being able sign in again, this is because AD is the master of the account properties. I would suggest opening a case with the team as they may well have changed this behavior. Regards Ross.
- Can we 'allow list' internal senders who are getting blocked from sending outbound due to the following. ? (Basically a false positive) "Alert description User has been detected as sending suspicious messages outside the organization and will be restricted if this activity continues. -V1.0.0.1"
johnengelsCRL55 - A bit of further clarification on Dhairyya's comment. You cannot remove this protection/control, as it is designed to prevent compromised users from affecting the organization/domain from compromise and abuse (i.e. email domain reputation protection). It is flagging cases where the user is sending out messages that are being detected as suspicious (spam) or malicious (phish/malware) within the broader Exchange Online environment. If left unchecked, it could mean that other emails from your organization get blocked or junked - in some cases by other third party cloud email services might be doing the same. This alert/protection most often triggers for people sending out legitimate emails when sending out advertising, newsletters, etc. that contain links. Office isn't intended for marketing email purposes, so the limits are set relatively low and may get triggered when sending to big volumes of users or distribution lists that have many names. You can adjust the users' limits up or down, but I'm not aware of how high you can set it. Bumping it up too much could affect domain reputation and should not be done en masse - instead limit it to specific users/groups. The specific policy to use is the outbound spam policy and target specific users try some higher message limits
Dhairyya_AgarwalThanks for your question, CRL55. That is not possible as it when you get this alert it might be sign of an account compromise as the user might be sending malicious messages out. So, you need to actually need to check or tweak your outbound policy.- Thanks - but weve been around the houses and investigated to the nth degree and the email/sender/ip/contents/attachment are also completely legitimate. Having to go into 'restricted entities' every other day to clear unblock them is a bit of a pain. Thanks Anyway
- Are there any plans to show all the conditional access details like you can see in the sign-in logs without having to navigate out of the incident?
- MalvikaBalarajThanks for your question, Steven. We are focusing on answering questions related to Microsoft Defender for Office 365 in this AMA. For questions related to other products, you can join our CCP Teams channel: aka.ms/JoinCCP
- I don't understand the response. Microsoft Defender for Office 365 has an incidents page which shows some sign-in details for any user accounts involved but it lacks showing all the Conditional Access details that we'd immediately want to look at.
1. Tamper Protection prevents ANY other product or RMM to manage your AV except Microsoft. This is clearly "by product design". Is this changing?
2. Tamper Protection also prevents any third-party updates from Microsoft sources and instead, triggers events and warnings in many RMM's that aren't Microsoft's. Will this change?
3. Intune/Defender for Cloud/Whatever You Call It Today is in 3 different locations for management and in each of those, there are dozens of useless categorizations that hide what someone is attempting to work with. A clear case in point is any type of Anti-Spam filtering. The flyouts and the multiple clicks to do simple things are slow, and the platform itself is often unresponsive because of it. Can you get a better design UI?
4. Email "protection" is miserably inaccurate. The defaults were to quarantine messages and not alert anybody. I had dozens of customers furious they lost business because of this. Now, you've added that functionality it but turned it off by default. Customers need to know they have a blocked email, not admins. We're not gatekeepers for organizations email flow. The default needs to be Users notified and if the company is large enough to have someone to be a gatekeeper, they can turn that OFF.
5. "Secure by Default" by definition means it's a Default setting that can be changed. You're using the word wrong if you can't open the overaggressive controls back up for SMB's that simply need to do their work, not fight MOTW or missing emails in quarantine.
6. You're writing this suite now for Large Corporations and eschewing the SMB and mid-size space by doing so. 80% of companies are SMB, they are where you grew this part of the business, but they don't have the staff to manage these defaults.
7. Why are there 'Devices" and 'Assets' in Intune as major categories when they're the same thing?
8. What's being done about Servers?
Melanie_Cohen6. You're writing this suite now for Large Corporations and eschewing the SMB and mid-size space by doing so. 80% of companies are SMB, they are where you grew this part of the business, but they don't have the staff to manage these defaults.
Answer: We're heavily investing in SMB and would love to keep in touch on challenges the customers would like us to solve in the collaboration protection space. Please sign up at aka.ms/JoinCCP where we can engage more in detail.
- FaithEbenezerOquong4. Email "protection" is miserably inaccurate. The defaults were to quarantine messages and not alert anybody. I had dozens of customers furious they lost business because of this. Now, you've added that functionality it but turned it off by default. Customers need to know they have a blocked email, not admins. We're not gatekeepers for organizations email flow. The default needs to be Users notified and if the company is large enough to have someone to be a gatekeeper, they can turn that OFF. Answer: In message center post MC505088(with title "Microsoft Defender for Office 365: Quarantine Notifications enabled for Preset Security Policies"), we made changes to the preset policies to enable Quarantine Notification for these policies as of Early Feb 2023. Preset policies that Quarantine email message should have corresponding "DefaultFullAccessWithNotificationPolicy" Quarantine policy assigned to it. With this change, End users should be notified when email messages land in their Quarantine folder. 5. "Secure by Default" by definition means it's a Default setting that can be changed. You're using the word wrong if you can't open the overaggressive controls back up for SMB's that simply need to do their work, not fight MOTW or missing emails in quarantine. Answer: There is future plans to allow for customization of a Quarantine policy that is linked to the preset security policies. please stay tuned for this.
- FaithEbenezerOquong
4. Email "protection" is miserably inaccurate. The defaults were to quarantine messages and not alert anybody. I had dozens of customers furious they lost business because of this. Now, you've added that functionality it but turned it off by default. Customers need to know they have a blocked email, not admins. We're not gatekeepers for organizations email flow. The default needs to be Users notified and if the company is large enough to have someone to be a gatekeeper, they can turn that OFF.
Answer: In message center post MC505088(with title "Microsoft Defender for Office 365: Quarantine Notifications enabled for Preset Security Policies"), we made changes to the preset policies to enable Quarantine Notification for these policies as of Early Feb 2023. Preset policies that Quarantine email message should have corresponding "DefaultFullAccessWithNotificationPolicy" Quarantine policy assigned to it. With this change, End users should be notified when email messages land in their Quarantine folder.
5. "Secure by Default" by definition means it's a Default setting that can be changed. You're using the word wrong if you can't open the overaggressive controls back up for SMB's that simply need to do their work, not fight MOTW or missing emails in quarantine.
Answer: There is future plans to allow for customization of a Quarantine policy that is linked to the preset security policies. please stay tuned for this.
- Am i correct in thinking that wildcard searches for sender and recipients (not domains) within Threat Explorer is not possible?
- Ajaj_Shaikh
Hi CRL55, currently we do not support wildcard searches in Threat Explorer. You can check out the Advanced Hunting experience under Hunting->Advanced Hunting where we provide KQL based filtering experience which might help you get the desired results. Please check out this link for more details on Advanced Hunting - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide
- Thanks - but having moved from Mimecast to 365 it would be nice to have this simple feature added to the capabilities within the GUI. KQL is fine if you have the time to sit down and learn it - even the query builder can be monotonous. Would be nice to have basic search capabilities all in the same place.
- Will our Teams environment automatically be integrated into Defender or do we need to enable it?
- MalvikaBalarajHi Stephanie, thank you for your question. For our current private preview, you will need to enable Teams protection. You can find more information here: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/mdo-support-teams-about?view=o365-worldwide
- Are answers coming any time soon? After 20 minutes, no tangible replies from anyone. We got a "Hello", some "Likes" and a response to someone who asked to hop on the phone call for this that the Teams info is on a different Community Hub.
- Trevor_RusherHi Joe, the team is working on getting replies out, we will be sure to answer everything!
- Are there Microsoft Defender for Office 365 partner playbooks, security guides, and training/demo content available for offline viewing?
- Ajaj_ShaikhWe do have a training content on Microsoft Defender for Office 365. You can check out this blog to access the content - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/become-a-microsoft-defender-for-office-365-ninja-june-2022/ba-p/2187392
- Do you know how much Defender has changed from June 2022, and that's the last time that "Ninja" info was updated?
- Hello everyone, nice to reach out to you. This is Abraham Mateos, Founder at Kumy Solutions, and I was just wondering if Defender for Office 365 will be integrating in the future AI image identification for Security measures, even as a required protocol. Thank you!
- johnengelsHi Abraham - Not quite sure what you mean by 'image identification' Abraham. We already do have some image analysis functions in the detonation process (mainly to identify look-alike credential phishing), with some additional improvements coming in the future (specifics and timing TBD). As attackers shift to using images rather than text to display their malicious content to users, we do recognize that more image functions are needed and are planning for that.
- Thank you so much John. That was the content I was looking for.
