Blog Post

Microsoft 365 Blog
2 MIN READ

Safe Documents is Generally Available

Kenny Shi's avatar
Kenny Shi
Icon for Microsoft rankMicrosoft
Jun 22, 2020

Building on secure productivity, today we announce the general availability of Safe Documents*, a new Microsoft 365 Apps feature that keeps enterprise users safe by verifying untrusted files on their behalf. 

 

Safe Documents is a new feature that improves the existing Protected View experience. Although Protected View helps secure documents originating outside the organization, people too often exit the protection sandbox without considering if the document is safe – leaving their organizations vulnerable. To improve this trust promotion experience for Microsoft 365 Apps, Safe Documents takes away the guesswork by automatically verifying the document against the latest known risks and threat profiles before allowing users to leave the Protected View container. 

 

Keeping Users Safe:

 

Safe Documents leverages the power of the Microsoft Intelligent Security Graph and brings it to the desktop. When an admin enables Safe Documents for their tenant, untrusted files that open in Protected View go through an additional flow where the document is uploaded and scanned by Microsoft Defender ATP. Learn more about how Microsoft is handling user data here.

 

 

While a scan is in progress, Safe Documents will prevent users from exiting the Protected View container. Users are still able to access and read the document during this process but will be unable to make any edits until the scan has completed.

 

Once the file has been successfully scanned, users will be able to leave the Protected View container with confidence that their file is safe.

 

 

In case of a malicious file (above), users will be blocked from leaving the Protected View container. Admins can configure whether users can bypass and ‘Enable Editing’ for malicious scenarios in the Admin portal. Learn more about the user experience in this article.

 

Analytics for Admins:

 

In addition to providing these protections to enterprise users, we have also integrated features from Microsoft Defender Advanced Threat Protection – where admins can use the powerful Advanced Hunting feature, based on the Kusto query language, to get additional details in their tenants by using the DeviceEvents table and filtering for ActionType ‘SafeDocFileScan’.

 

 

Details to get started with Advanced Hunting are available here. As we continue to receive feedback from customers, we will plan for additional functionality as we integrate with other features in the MDATP toolkit to provide greater visibility into these detections.

 

Enabling Safe Documents:

 

This feature is off by default and needs to be enabled by a Security Administrator. To turn on Safe Documents, the admin should navigate to the Security & Compliance center and go to Threat Management > Policy > ATP Safe Attachments where there will be settings to ‘Turn on Safe Documents for Office clients’ and another option to allow users to bypass protections if a file is malicious.

 

 

Thank you for those who joined us in the preview. We look forward to more of you enabling this protection and hearing feedback on how we can improve and evolve this solution.

 

* The Safe Documents feature is only available with a ‘Microsoft 365 E5’ or Microsoft 365 E5 Security’ license for Commercial and Education customers on Windows clients.

 

Updated May 06, 2021
Version 3.0
  • Thanks for your interest Ru! Office clients will be enforcing these license checks, so even if the feature is enabled for the entire tenant only the correctly licensed E5 users will be able to get the functionality. 

  • Hey Kenny Shi, appreciate the write up.  

     

    If this is an E5 feature, but enabled at the tenant level, are users on <E5 licenses automatically out of scope (they do not get Safe Documents) or will they technically be able to use it, but not be license compliant?  If the latter, it's hard to recommend anyone enables this yet.

     

    Thanks!

  • Kenny Shi Microsoft
    ‎2020-07-02 06:51 PM

     

    Thanks for your interest @Ruairidh Campbell! Office clients will be enforcing these license checks, so even if the feature is enabled for the entire tenant only the correctly licensed E5 users will be able to get the functionality. 


    That's awesome, makes things a lot simpler than managing with scopes as you do in other parts of O365 ATP.  Thanks!

  • Brad Rush's avatar
    Brad Rush
    Copper Contributor

    We enabled this feature but had to quickly turn it off due to some very large documents taking 10-15 minutes to open. Will there be some configuration options in the future to limit or reduce the impact of this feature but still benefit from its protection abilities?

    Where can we learn or follow more about how this feature will develop in the future?


    Thanks very much,

  • Thanks for reaching out Brad Rush! We have a document upload limit of 60 MB currently but these scans should not be taking that long. I've reached out privately to get additional details to help us investigate your issue. Appreciate your patience!

  • ace_g's avatar
    ace_g
    Copper Contributor

    Kenny Shi i'm having same issue with Brad Rush. Is there any recommendation or any specific settings i can look at? the spreadsheet that are just about 2mb takes almost a minute to open. Thank you

  • Jeff-678's avatar
    Jeff-678
    Copper Contributor

    Can you clarify availability for Government GCC Tenants, IE Can M365 G5 subscriptions holders use SafeDocs apps features.  If not, What does roadmap look like for GA in GCC.