Enhanced action experience (Action wizard V2) from Email entity / Summary panel
Published Nov 21 2023 09:30 AM 4,137 Views

We are excited to announce the new “Take actions” experience in the Email Entity and Email Summary panel. This new experience will allow users to act on threats faster, while also enabling more efficient resolution of issues like False Positives/False Negatives (FP/FN)


In August 2022, we announced similar functionality with the Action wizard being introduced to the Email Entity panel. After receiving feedback that users wanted the ability to combine multiple actions together, and for this feature to be accessible in the Email Summary Panel in addition to the Email Entity Panel.


Now, with this rollout, SecOps teams can use the “Take actions” button to chain multiple actions together. Examples of actions which can be combined include purging emails, inline submissions, and tenant level block actions to URLs or Files. To further improve ease of use, we’re making this functionality available in both the Email Entity and Email Summary panels. This simplified workflow can dramatically decrease the number of manual steps and overhead required by SecOps teams to effectively follow up on email threats.


The “Take actions” button will appear in the top-right corner of the Email Entity and Email Summary panel. Clicking on this button will open the Action wizard, which provides step-by-step guidance on how to select one, or multiple actions together. Please note that the actions available to any given user are still subject to the same permissions requirements as before, based on their membership/role in the organization.

MicrosoftTeams-image (1).png

Figure 1:


Figure 2:

The aim is to enrich single entity remediation actions by providing the following -

  • Logical grouping of good (false positives) and bad (false negative) message actions
  • Contextual actions by not showing a flat list of actions that means few actions will be grayed out depending on message latest location. For example – If the message is in already in inbox, you will see the move to inbox action will be grayed out.


Figure 3:


  • Support Tenant level block URLs and files (New addition to Take Actions) from the same panel.

MicrosoftTeams-image (4).png

Figure 4:


  • Multi selection of following action types:
    • Email purge action/ Two-step approval (propose remediation)
    • Submit to Microsoft for feedback.
    • Tenant level allow/ block rules.
    • Triger Auto-investigations


How will action wizard v2 work?

Considering that the SecOps have already investigated in the summary panel/email entity page and selected entities they want to remediate, below is a step-by-step process -

    • Click on the Take Action button from the top right corner of the email entity page /summary panel.
    • Select desired email message actions in Choose action step.
    • Then in the second step / Choose targeted entities provide name to your remediation and description to track the action logs later.
    • Review the actions you are going to take and submit.
    • Track these actions in the Unified action center (for deleted emails), in the Submission portal (for submissions), investigations (for investigations ) and in Tenant Allow/Block Lists page for (TABL blocks).


NOTE: It is important to note that the actions may take some time to show up in the respective pages due to the process they follow, but this will not impact the current speed of remediation and functionality as well. Additionally, there is no change to Threat explorer and Advanced hunting remediation options at this point.

Anywhere you find email summary panel and email entity page, you would see the new action experience.


Learn more:

Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the Defender for Office 365 forum


1 Comment
Version history
Last update:
‎Nov 30 2023 01:34 PM
Updated by: