Microsoft Defender for Office 365 topics

Do XDR Alerts cover the same alerts available in Alert Policies?

underQualifried — Thu, 02 Apr 2026 18:43:55 GMT

The alerts in question are the 'User requested to release a quarantined message', 'User clicked a malicious link', etc. About 8 of these we send to 'email address removed for privacy reasons'. That administrator account has an EOM license, so Outlook rules can be set. We set rules to forward those 8 alerts to our 'email address removed for privacy reasons' address. This is, very specifically, so the alert passes through the @tenant.com address, and our ticketing endpoint knows what tenant sent it. But this ISN'T ideal because it requires an EOP license (or similar - this actually hasn't been an issue until now just because of our customer environments). I've looked at the following alternatives: -

Setting email address removed for privacy reasons as the recipient directly on the Alert Policies in question. This results in the mail going directly from microsoft to our Ticketing Portal - so it ends up sorted into Microsoft tickets. and the right team doesn't get it.
SMTP Forwarding via either Exchange AC User controls or Mail Flow Rules. But these aren't traditional forwarding, and they have the same issue as above.
Making administrator @tenant.com a SHARED mailbox that we can also login to (for administration purposes). But this doesn't allow you to set Outlook rules (or even login to Outlook).

I've checked out the newer alerts under Defender's Settings panel - XDR alerts, I think they're called. Wondering if these can be leveraged at all for this? Essentially, trying to get these Alerts to come to our external ticketing address, from the tenants domain (instead of Microsoft). I could probably update Autotask's rules to check for a header, and set that header via Mail Flow rules, but.. just hoping I don't have to do that for everyone.

Impersonation Protection: Users to Protect should also be Trusted Senders

underQualifried — Thu, 02 Apr 2026 18:30:38 GMT

Hey all, sort of a weird question here. Teaching my staff about Impersonation Protection, and it's kind of occurred to me that any external sender added to 'Senders to Protect' sort of implicitly should also be a 'Trusted Sender'. Example - we're an MSP, and we want our Help Desk (email address removed for privacy reasons) to be protected from impersonation. Specifically, we want to protect the 'Help Desk' name. So we add email address removed for privacy reasons to Senders to protect. However, we ALSO want to make sure our emails come thru. So we've ALSO had to add email address removed for privacy reasons to Trusted Senders on other tenants.

Chats with Copilot have sort of given me an understanding that this is essentially a 'which is more usefuI' scenario. But CoPilot makes things up, and I want some human input.

In theory, ANYONE we add to 'trusted senders' we ALSO want protected from Impersonation. Anyone we protect from Impersonation we ALSO want to trust. Copilot says you SHOULDN'T do both.

Which is better / more practical?

I would like to know the complete list of alerts whose serviceSource is MDO

Kota2 — Tue, 31 Mar 2026 12:14:37 GMT

Hi all

In order to determine the alerts that should be monitored by the SOC, I would like to identify, from the alerts listed at the link below, those whose serviceSource is Microsoft Defender for Office 365 (MDO).

Alert policies in the Microsoft Defender portal - Microsoft Defender XDR | Microsoft Learn

I couldn’t find where this is documented, no matter how thoroughly I searched, so I would appreciate it if you could point me to the relevant documentation.

thx

I have absolutely no idea what Microsoft Defender 365 wants me to do here

JustTom — Tue, 30 Dec 2025 15:30:01 GMT

The process starts with an emal:

There's more below on the email - an offer for credit monitoring, an option to add another device, an option to download the mobile app - but I don't want to do any of the, so I click on the "Open Defender" button, which results in this:

OK, so my laptop is the bad boy here, there's that Status not of "Action recommended", with no "recommendations" and the only live link here is "Add device", something I don't need to do. The only potential "problem" I can even guess at here is that Microsoft is telling me that the laptop needs updating. Since I seldom use the laptop, only when traveling, I'd guess the next time I'd fire it up the update will occur, but of course I really don't know that's the recommended action it's warning me about, do I?

You'd expect that if something is warning you "ACTION NEEDED!!!" they'd be a little more explicit, wouldn't you?

Tenant Forwarding - Trusted ARC Sealer

weebles — Tue, 16 Dec 2025 16:57:00 GMT

As part of a tenant to tenant migration we often need to forward mail from one tenant to another. This can cause some issues with email authentication verdicts on the destination tenant. Is it possible or best practice to configure another tenant as a Trusted ARC sealer to help with forwarded email deliverability?

Email - Override/Bypass Events

mhmmdrn — Mon, 24 Nov 2025 10:39:23 GMT

Hi Community,

how can i extract the override/bypass informations by using EXO Powershell Module, Advanced Hunting or Graph API? I have searched in cmdlets but no luck.

License question

rafalbartczak — Fri, 31 Oct 2025 13:27:48 GMT

Hello,

From what I've read, if I have 10 licensed (Defender for Office 365) users, each with their own mailbox and an additional shared mailbox connected, I only need to license those 10 users (the shared mailbox doesn't need to be licensed additionally). However, I don't see such a provision in the licensing agreements themselves. If I understand this correctly, can someone point me to the relevant clause in the agreement?

Does a shared mailbox that no one uses require a Defender license (if the organization uses Defender for Office 365 licenses)?

thx.

Secure Score rec. out of date - Entra consent settings

underQualifried — Fri, 17 Oct 2025 16:45:16 GMT

TLDR: 1. SecureScore recommendation for user consent settings does not match the User Consent settings recommendation. 2. Also, the recommendation on User Consent page is not described in a sensible way.

This recommendation - Ensure user consent to apps accessing company data on their behalf is not allowed - instructs people to set the Consent Settings to 'Allow users to consent to low-level permissions', and select the low-level permissions. Optionally, to also set up admin workflow. This is the SecureScore recommended process we've been using. It was bugged, so we'd set it to 'Resolved by ____' usually once completed. It looks like this is fixed and now properly shows Completed (from testing, the manual resolve statuses aren't overwritten by the automatic completion - it'll wait until those are set to something else to update it to completed. Anyway,, that's not the issue.

Recently noticed on the actual Consent blade, it shows that the recommendation is Microsoft-managed. I've never noticed this before - i believe it's new. So now it's kinda unclear what's ACTUALLY recommended. Reading the associated KB, it is described currently as 'end users can consent for any user consentable delegated permissions EXCEPT: Files.Read.All, Files.ReadWrite.All, Sites.Read.All, Sites.ReadWrite.All.'. But it doesn't actually describe what are 'user consentable' is... is that whatever 'low impact' permissions you set? is it something completely different?

So the options are
1. Users can't consent
2. Users can consent to permissions you deem low-risk
3. Users can consent to permissions users can consent to, but not these x

There isn't a feedback button on SecureScore.

user-reported phishing emails

SleeperHead — Thu, 04 Sep 2025 12:34:28 GMT

Dear Community

I have a technical question regarding user-reported emails. In Defender, under “Action and Submissions” -> “Submissions,” I can see the emails that users have reported under the “user reported” option. There, we have the option to analyze these emails and mark them as “no threats found,” “phishing,” or “spam.” The user is then informed.

Question: Do these reported emails remain in the user's inbox when they report them? If not, do we have the option to return these reported emails to the user's inbox with the “No threats found” action? Because I don't see this option.

In another tenant, under “Choose response Action,” I see “move or delete,” but the “inbox” option is grayed out. Why is that?

Thank you very much!

False positive report

imanbarati — Fri, 22 Aug 2025 16:42:51 GMT

Microsoft defender false tags and deletes freegate VPN as trojan virus

https://en.m.wikipedia.org/wiki/Freegate

Microsoft Defender for Office (MDO) - Customize Results Email for User Reported Messages

PhilippZiemke — Mon, 11 Aug 2025 10:41:56 GMT

Hi all,

I would like to customize the results email from MDO to the users. From the documentation, I can see the option to modify "Email body results text" and "Email footer text":

Microsoft Defender for Office (MDO) documentation about custom results emailCustom notification options in the Defender portal

Unfortunately, the documentation doesn't specify anything beyond that. Therefore, I have the following questions:

What exactly is the Email "body" and "footer" in this template? (Compare to screenshot below)
Is the title/header part of the "body"?
What type of text from is available? (Plain/HTML/Markdown etc.)

Example Email / Default "SPAM" response

Does anyone have experience with customizing these result emails? Feedback would be appreciated, thanks!

Disabling Auto Align Feature in Microsoft Defender 365 Console Alerts

HeyNiko — Thu, 07 Aug 2025 13:05:59 GMT

The Microsoft Defender 365 console has recently started auto aligning the alert screen upon clicking on an alert name, which seems to be part of the updated alert management experience. This change is quite bothersome and distracting. How can this feature be disabled?

'system has learned from the submission / mail is automatically allowed'

underQualifried — Tue, 29 Jul 2025 18:20:41 GMT

Hey folks, got an alert about a tenant allow//block list entry expiring. Only recently did we start getting these, because only recently did we start using expiring whitelisting. But I'm a little confused by the details, which says 'Mail from x is now automatically alllowed and the allow entry has been removed' and the activity that ''an allow entry is no longer required as the system has learned from the submission'

The referenced email is actually an internal tenant - it receives ticket requests, and sends out ticket updates. But I'm REALLY curious about the 'automatic' allowing. Is this a feature limited to Defender 2, or part of Microsoft's AI detection framework for all 365 Defender/EOP? I don't even remember submitting this email - if I did, it was probably more than 45 days ago. So

1) Is this notice primarily that the entry had expired, but ALSO it's not needed or does this send out as soon as 'the system' recognizes it as legitimate, and removed regardless of the time left?

2) is there a way to review a list of entries Microsoft has 'accepted'?

3) What exactly does this 'allow'? I know that the tenant allow/block list allowed a certain set of lower-risk indicators in an email, but still blocked some higher-risk ones - unless there was a submission made. At that point, more is allowed. But there's still a limit, compared to a blanket bypass on the policy itself.

Microsoft Defender EOP

Salamat_Shah — Wed, 23 Jul 2025 10:18:29 GMT

We have been experiencing an issue since last week where we are unable to view the details of quarantined emails. Could you please confirm if this is related to a known backend service issue, or if there are any specific troubleshooting steps we should perform on our end?

Any guidance or updates would be greatly appreciated.

Searching for Activities in Audit Log returns repeated results - appears broken

underQualifried — Wed, 16 Jul 2025 14:00:52 GMT

I'm in Defender, using the Audit Log tool, trying to find out who changed the Anti-Phishing policy on the 23rd of January. Selecting the 'Activities - friendly names' drop-down, and inputting 'policy' returns

A number of different categories + activities for stuff unrelated to Defender (ie, Purview, CoPilot in Outlook,, SharePoint AI use, the 365 AC, 'Places Directory' - whatever that is) but nothing related to Defender (the tool I'm opening it within)...
The same category - M365 Apps Admin Services cloud policy activities - about 30 times, with every activity it includes. Probably 70% of the results, are just this same thing over and over. I looked into it - because I've never heard of this, yet it SOUNDS like something related to what I do.

First off, on the [audit log activities](https://learn.microsoft.com/en-us/purview/audit-log-activities#microsoft-365-apps-admin-services-cloud-policy-activities) KB, this category is listed once, with 4 activities. there's about 13 that show up in each duplicated category in the search, so that's unhelpful. It links to another kb which seems to imply that 'Cloud Policy service' is not an actual thing - it's just a marketing/conceptual term for a functionality of InTune. Why it's not in the InTune KB - I do not know - I've made some suggestions to the KB's

The first KB I mentioned does not list any activities for Defender's policies - there's stuff for Endpoint (multiple categories), XDR (multiple categories)... So I have 2 questions.

1) Is anyone able to advise how to get the data I want? At this point, I'm not even sure this audit log would PULL any relevant data, based on the lack of activities - so I don't really want to just blanket search for that date, and sift through stuff.

2) Does anyone know how to use this tool effectively? Know of a KB that is good and reliable and helpful?

Thanks

Help me understand why this email was quarantined?

underQualifried — Fri, 27 Jun 2025 15:45:37 GMT

I'm pretty familiar with Defender's Threat Policies. I've probably set them up on 40 tenants. I know the Hosted Content Filter Policy is backend for Anti Spam Inbound policy. I know that, confusingly, the AntiSpam Inbound Policies contain the actions for High Confidence/Normal Confidence Phishing - NOT the AntiPhishing policies (which seem more geared towards impersonation). What I DON'T know is why this was quarantined - and whether the anti-phish policy had anything to do with it. The Policy Type linked is the IB Anti Spam. This tenant is one of the few we have set at a BCL tolerance level of 7 - which shows me that 0 messages in the last 60 days would've been caught for this reason (which would include the email in question). So it was either the SCL or some 'anti phish' component of the anti-spam policy. I have none of the custom 'increase spam score' markers here. I was sure there was a 'evidence' tab within email entity, but i guess not - the only info I have about the detection (now released) is the following:

This particular sender does not send reliably over 45 days, but also has been a business partner of this tenant for decades. So rather than the Tenant Allow/Block list which allows a max of 45 days, I want to add it to the offending policy. which SEEMS like it would be the inbound anti-spam - except that it also says it's phishing everywhere. I don't want to bypass both the phishing and spam policies unless I have to - but I don't really know why this got blocked.

It's an external address that had sent an email days ago that got through without issue... This one has an attached pdf, but so do they all.

Thoughts?

Block all internet traffic except some sites

joaquimlopes — Fri, 06 Jun 2025 14:18:32 GMT

Hi,

i've a subset of machines that need only access to some sites, like internal websites, office365 and av updates but i'm being asked to block all other sites.

Can i use office365 defender (https://security.microsoft.com/securitysettings/endpoints) to do this?

what is the best option?

Thx

All Excel Macro Files Suddenly Flagged as Malware (X97M/Slacker.gen!A) Across M365 Starting April 16

Tiam — Wed, 07 May 2025 07:37:40 GMT

Starting around 8 PM GMT+8 on April 16, 2025, macro-enabled Excel files with extensions such as .xlsm, .xlsb, or .xls began being automatically flagged as malware, specifically identified as X97M/Slacker.gen!A—when opened or edited in SharePoint, OneDrive, or Teams. Before this, the same files were not flagged as malicious, even when opened or edited, and this behavior had remained consistent for several months.

This issue affects our entire tenant, with over 800 files being flagged as malware under the name X97M/Slacker.gen!A. These files are located across various locations and have been modified by different users.

We are a Cloud-only tenant, and we have not done any configuration changes in Threat Policies for the past few months.

Marking Quarantine Notice senders as safe for entire tenant

underQualifried — Tue, 06 May 2025 14:39:02 GMT

Our users get quarantine notices weekly. They're configured to come from email address removed for privacy reasons (the domain specific to tenant).. sometimes they come from email address removed for privacy reasons anyways, but this is fine.

The thing is, I end up with a LOT of users who end up receiving these in their junk mail. We have a lot of tenants - I don't really have the time to keep checking them, taking action on mis-junked items. Most stuff is configured to go to quarantine anyway.

What's the best way to allow these senders? The IB Anti-Spam safe-senders component is not Secure-Score recommended, and we try to keep these scores high. But the tenant allow/block list allows a max of 45days since last use. There's so many options, I'm a little confused as to what's 'right'

Thanks

upgraded from P1 to P2... how do I configure this?

underQualifried — Tue, 01 Apr 2025 14:34:04 GMT

Upgraded to Defender 365 P2 from P1, based on the automated responses. Kinda figured we'd be able to tweak these, but I guess not? Anyway, I'm a little bit confused about how to set this up maximally. Realized yesterday we had a 'User click a malicious link" investigation that was pending - but no one knew. When I click 'Email Notification' in the 'Incidents' window, it brings me to the XDR settings menu, with options for setting emails to notify of Alerts, Incidents and Threat Analytics. Except we don't have XDR? So I can't tell if these are even valid?

The documentation on the AIR component is really hard to decipher - wondering if anyone has much experience with this, and knows how to configure it optimally? As in, how do I notify someone of a Critical Investigation, or something needing approval for remediation? Can I configure certain things to not require approval? Like... removing a reported phishing email from everyone's inbox?