Safe Documents is a new feature that improves the existing Protected View experience. Although Protected View helps secure documents originating outside the organization, people too often exit the protection sandbox without considering if the document is safe – leaving their organizations vulnerable. To improve this trust promotion experience for Microsoft 365 Apps, Safe Documents takes away the guesswork by automatically verifying the document against the latest known risks and threat profiles before allowing users to leave the Protected View container.
Keeping Users Safe:
Safe Documents leverages the power of the Microsoft Intelligent Security Graph and brings it to the desktop. When an admin enables Safe Documents for their tenant, untrusted files that open in Protected View go through an additional flow where the document is uploaded and scanned by Microsoft Defender ATP. Learn more about how Microsoft is handling user data here.
While a scan is in progress, Safe Documents will prevent users from exiting the Protected View container. Users are still able to access and read the document during this process but will be unable to make any edits until the scan has completed.
Once the file has been successfully scanned, users will be able to leave the Protected View container with confidence that their file is safe.
In case of a malicious file (above), users will be blocked from leaving the Protected View container. Admins can configure whether users can bypass and ‘Enable Editing’ for malicious scenarios in the Admin portal. Learn more about the user experience in this article.
Analytics for Admins:
In addition to providing these protections to enterprise users, we have also integrated features from Microsoft Defender Advanced Threat Protection – where admins can use the powerful Advanced Hunting feature, based on the Kusto query language, to get additional details in their tenants by using the DeviceEvents table and filtering for ActionType ‘SafeDocFileScan’.
Details to get started with Advanced Hunting are available here. As we continue to receive feedback from customers, we will plan for additional functionality as we integrate with other features in the MDATP toolkit to provide greater visibility into these detections.
Enabling Safe Documents:
This feature is off by default and needs to be enabled by a Security Administrator. To turn on Safe Documents, the admin should navigate to the Security & Compliance center and go to Threat Management > Policy > ATP Safe Attachments where there will be settings to ‘Turn on Safe Documents for Office clients’ and another option to allow users to bypass protections if a file is malicious.
Thank you for those who joined us in the preview. We look forward to more of you enabling this protection and hearing feedback on how we can improve and evolve this solution.
* The Safe Documents feature is only available with a ‘Microsoft 365 E5’ or ‘Microsoft 365 E5 Security’ license for Commercial and Education customers on Windows clients.