Tenant Forwarding - Trusted ARC Sealer
As part of a tenant to tenant migration we often need to forward mail from one tenant to another. This can cause some issues with email authentication verdicts on the destination tenant. Is it possible or best practice to configure another tenant as a Trusted ARC sealer to help with forwarded email deliverability?Enterprise IoT Security now included in E5
To help organizations achieve a more holistic endpoint security strategy that traverses both IT and eIoT devices easily, we are thrilled to announce that the eIoT security capabilities of Microsoft Defender for IoT are now included with Microsoft 365 E5 and E5 Security plans at no additional cost for new and existing customers. For more details please visit: Enterprise IoT security now included with Microsoft 365 E5 blog post. This enhancement empowers security teams to: Eliminate critical blind spots by discovering unmanaged enterprise IoT devices. Identify anomalies across the enterprise IoT device estate with continuous monitoring. Harden posture across enterprise IoT with vulnerability assessments with actionable guidance to help remediate at-risk device. What's Changing? Defender for IoT’s EIoT is transitioning from a consumption-based payment model in the Azure portal to a per-device, per-month licensing model as an integral part of Microsoft 365. It is now accessible to both new and existing customers of Microsoft 365 E5 and E5 Security. The new license includes coverage for up to five enterprise IoT devices per eligible user license at no additional cost. Learn more: Get started with enterprise IoT monitoring in Microsoft 365 Defender Start securing IoT devices in the enterprise Read the enterprise IoT security FAQ Microsoft Defender for IoT Plans and Pricing | Microsoft Security web page.
New blog post | Microsoft Defender for IoT moves to site-based licensing
On June 1, 2023, Microsoft Defender for IoT moved to site-based licensing for organizations looking to protect their operation technology (OT) environments. The previous Azure consumption model for this solution will no longer be available for purchase by new customers. Existing customers can choose to transition to site-based licensing or remain on the consumption model. Microsoft Defender for IoT - New site-based licensingCloud-delivered IoT/OT threat intelligence — now available for Defender for IoT
Threat intelligence updates for Azure Defender for IoT can now be automatically pushed to Azure-connected network sensors as soon as updates are released, reducing manual effort and helping to ensure continuous security. Learn why threat intelligence specifically tailored to industrial and critical infrastructure organizations is a more effective approach for proactively mitigating IoT/OT vulnerabilities and threats, and how it complements Defender for IoT's native behavioral analytics.
Defender for Identity health issues - Not Closing
We have old issues and they're not being "Closed" as reported. Are we missing something or is this "Microsoft Defender for Identity" Health Issues process broken? Thanks! Closed: A health issue is automatically marked as Closed when Microsoft Defender for Identity detects that the underlying issue is resolved. If you have the Azure ATP (workspace name) Administrator role, you can also manually close a health issue.
Microsoft Ignite 2025: Top Security Innovations You Need to Know
🤖 Security & AI -The Big Story This Year 2025 marks a turning point for cybersecurity. Rapid adoption of AI across enterprises has unlocked innovation but introduced new risks. AI agents are now part of everyday workflows-automating tasks and interacting with sensitive data—creating new attack surfaces that traditional security models cannot fully address. Threat actors are leveraging AI to accelerate attacks, making speed and automation critical for defense. Organizations need solutions that deliver visibility, governance, and proactive risk management for both human and machine identities. Microsoft Ignite 2025 reflects this shift with announcements focused on securing AI at scale, extending Zero Trust principles to AI agents, and embedding intelligent automation into security operations. As a Senior Cybersecurity Solution Architect, I’ve curated the top security announcements from Microsoft Ignite 2025 to help you stay ahead of evolving threats and understand the latest innovations in enterprise security. Agent 365: Control Plane for AI Agents Agent 365 is a centralized platform that gives organizations full visibility, governance, and risk management over AI agents across Microsoft and third-party ecosystems. Why it matters: Unmanaged AI agents can introduce compliance gaps and security risks. Agent 365 ensures full lifecycle control. Key Features: Complete agent registry and discovery Access control and conditional policies Visualization of agent interactions and risk posture Built-in integration with Defender, Entra, and Purview Available via the Frontier Program Microsoft Agent 365: The control plane for AI agents Deep dive blog on Agent 365 Entra Agent ID: Zero Trust for AI Identities Microsoft Entra is the identity and access management suite (covering Azure AD, permissions, and secure access). Entra Agent ID extends Zero Trust identity principles to AI agents, ensuring they are governed like human identities. Why it matters: Unmanaged or over-privileged AI agents can create major security gaps. Agent ID enforces identity governance on AI agents and reduces automation risks. Key Features: Provides unique identities for AI agents Lifecycle governance and sponsorship for agents Conditional access policies applied to agent activity Integrated with open SDKs/APIs for third‑party platforms Microsoft Entra Agent ID Overview Entra Ignite 2025 announcements Public Preview details Security Copilot Expansion Security Copilot is Microsoft’s AI assistant for security teams, now expanded to automate threat hunting, phishing triage, identity risk remediation, and compliance tasks. Why it matters: Security teams face alert fatigue and resource constraints. Copilot accelerates response and reduces manual effort. Key Features: 12 new Microsoft-built agents across Defender, Entra, Intune, and Purview. 30+ partner-built agents available in the Microsoft Security Store. Automates threat hunting, phishing triage, identity risk remediation, and compliance tasks. Included for Microsoft 365 E5 customers at no extra cost. Security Copilot inclusion in Microsoft 365 E5 Security Copilot Ignite blog Security Dashboard for AI A unified dashboard for CISOs and risk leaders to monitor AI risks, aggregate signals from Microsoft security services, and assign tasks via Security Copilot - included at no extra cost. Why it matters: Provides a single pane of glass for AI risk management, improving visibility and decision-making. Key Features: Aggregates signals from Entra, Defender, and Purview Supports natural language queries for risk insights Enables task assignment via Security Copilot Ignite Session: Securing AI at Scale Microsoft Security Blog Microsoft Defender Innovations Microsoft Defender serves as Microsoft’s CNAPP solution, offering comprehensive, AI-driven threat protection that spans endpoints, email, cloud workloads, and SIEM/SOAR integrations. Why It Matters Modern attacks target multi-cloud environments and software supply chains. These innovations provide proactive defense, reduce breach risks before exploitation, and extend protection beyond Microsoft ecosystems-helping organizations secure endpoints, identities, and workloads at scale. Key Features: Predictive Shielding: Proactively hardens attack paths before adversaries pivot. Automatic Attack Disruption: Extended to AWS, Okta, and Proofpoint via Sentinel. Supply Chain Security: Defender for Cloud now integrates with GitHub Advanced Security. What’s new in Microsoft Defender at Ignite Defender for Cloud innovations Global Secure Access & AI Gateway Part of Microsoft Entra’s secure access portfolio, providing secure connectivity and inspection for web and AI traffic. Why it matters: Protects against lateral movement and AI-specific threats while maintaining secure connectivity. Key Features: TLS inspection, URL/file filtering AI Prompt Injection protection Private access for domain controllers to prevent lateral movement attacks. Learn about Secure Web and AI Gateway for agents Microsoft Entra: What’s new in secure access on the AI frontier Purview Enhancements Microsoft Purview is the data governance and compliance platform, ensuring sensitive data is classified, protected, and monitored. Why it matters: Ensures sensitive data remains protected and compliant in AI-driven environments. Key Features: AI Observability: Monitor agent activities and prevent sensitive data leakage. Compliance Guardrails: Communication compliance for AI interactions. Expanded DSPM: Data Security Posture Management for AI workloads. Announcing new Microsoft Purview capabilities to protect GenAI agents Intune Updates Microsoft Intune is a cloud-based endpoint device management solution that secures apps, devices, and data across platforms. It simplifies endpoint security management and accelerates response to device risks using AI. Why it matters: Endpoint security is critical as organizations manage diverse devices in hybrid environments. These updates reduce complexity, speed up remediation, and leverage AI-driven automation-helping security teams stay ahead of evolving threats. Key Features: Security Copilot agents automate policy reviews, device offboarding, and risk-based remediation. Enhanced remote management for Windows Recovery Environment (WinRE). Policy Configuration Agent in Intune lets IT admins create and validate policies with natural language What’s new in Microsoft Intune at Ignite Your guide to Intune at Ignite Closing Thoughts Microsoft Ignite 2025 signals the start of an AI-driven security era. From visibility and governance for AI agents to Zero Trust for machine identities, automation in security operations, and stronger compliance for AI workloads-these innovations empower organizations to anticipate threats, simplify governance, and accelerate secure AI adoption without compromising compliance or control. 📘 Full Coverage: Microsoft Ignite 2025 Book of NewsAdd Privacy Scrub Service to Microsoft Defender?
Microsoft Defender protects accounts against phishing and malware, but attackers increasingly exploit nuisance data broker sites that publish personal information (names, emails, addresses). These sites are scraped to personalize phishing campaigns, making them harder to detect. I propose a premium Defender add‑on that automatically files opt‑out requests with major data brokers (similar to DeleteMe).Microsoft Defender for Office 365: Fine-Tuning
In incident response, most business email compromise doesn’t start with “sophisticated zero-day malware.” It starts with configuration gaps: forwarding mail outside the tenant, users clicking through Safe Links warnings, impersonation policies left at day-one defaults, or post-delivery cleanup still relying on a human analyst at 2:00 AM. Those gaps are what attackers actually exploit. This blog covers our top recommendations for fine-tuning Microsoft Defender for Office 365 configuration from hundreds of deployments and recovery engagements: Core fine-tuning actions every email or security admin should land right now Data-driven bulk mail tuning (BCL and Bulk Mail Insights) Impersonation and anti-phishing policy hygiene for executive protection Automate post-delivery cleanup by enabling Automated Remediation Each section includes a short video and practical guidance you can apply immediately in Microsoft Defender for Office 365. These recommendations align with Microsoft’s “secure by default” direction: applying the Standard and Strict preset security policies to users, using Configuration analyzer to catch configuration drift, and enforcing least-privilege release of high-risk mail. When possible, enable the Preset security policies to give you Microsoft’s recommended settings for Safe Links, Safe Attachments, Anti-Phishing, and Anti-Spam. If you use custom policies (or if you exclude users from the Presets) then use Configuration analyzer regularly to compare custom policies to the Standard/Strict baselines, since those get updated as Microsoft updates the Preset policies. Core Fine-Tuning Checklist for Defender for Office 365 This section highlights six controls we recommend implementing broadly. These are “day one hardening” items we repeatedly validate with customers. Block automatic external forwarding by default Attackers often create hidden inbox rules that quietly forward mail (invoices, purchase orders, wire info) to an external account they control. Use outbound spam policies to block automatic external forwarding for the entire org and then create tightly scoped exceptions only for the handful of mailboxes that legitimately need it. This prevents data leakage and payment fraud scenarios where mail auto-forwards out of your tenant without anyone noticing. Although this setting is on by default (“System Controlled” means that external forwarding is disabled), we’ve found many tenants where this was disabled because the admin didn’t know how to create a custom policy for authorized forwarders. The trick is to order custom outbound policies to run as a higher priority than the default outbound policy which should be set to block auto-forwarded emails. It is a good idea to regularly review the auto forwarded message report (located in the Exchange Admin Center). Use Enhanced Filtering for Connectors (“skip listing”) when necessary If you’re routing inbound mail through a third-party Secure Email Gateway or an on-prem hop before Microsoft 365, Defender will see that intermediary as the source IP instead of the original sending IP, which degrades anti-spoofing effectiveness.Enhanced Filtering for Connectors — also called skip listing — lets Microsoft 365 look past that last hop and evaluate the real sending IP and headers, so SPF / DKIM / DMARC and anti-spam logic work correctly. This setting does not support centralized mail routing (unless the routing is linear; see the Enhanced Filtering for Connectors learn article), so make sure you are not using that before enabling Enhanced Filtering. Centralized routing is sometimes used by organizations running a hybrid Exchange deployment, connecting Exchange Online with an on-premises Exchange Server organization. Important: Do this instead of blanket SCL -1 transport rules that “bypass spam filtering for anything coming from our gateway.” Over-bypassing means phishing that slipped through the third-party filter can sail straight to user inboxes, which Microsoft specifically warns against. Turn on Safe Attachments protection beyond email (SharePoint, OneDrive, Teams) In the Safe Attachments “Global settings,” make sure Defender for Office 365 is set to protect files in SharePoint, OneDrive, and Microsoft Teams. When enabled, if a file is identified as malicious, Defender automatically locks the file in-place so users can’t open it in Teams or OneDrive. This gives you malware detonation and containment in collaboration channels, not just email. This step closes a gap we still see a lot: customers protect mail attachments well, but shared files and Teams chats are wide open. In the 1st part of this blog series, Microsoft MVP Purav Desai describes (here) how to prevent users from downloading malicious files by running a SharePoint PowerShell cmdlet: Set-SPOTenant -DisallowInfectedFileDownload $true Don’t let users click through Safe Links warnings Safe Links rewrites and time-of-click scans URLs in mail, Office apps, and Teams. In the Safe Links policy, clear “Let users click through to the original URL.” That prevents the classic “I know it says it’s malicious, but I really need to see it…” moment. Users get blocked instead of “warned but allowed.” This setting is also enforced in Microsoft’s Standard AND Strict preset security policies where click-through is explicitly disabled. Go beyond the default Common Attachment filter The anti-malware policy’s Common Attachment filter blocks known dangerous file extensions (executable content, scriptable content, etc.). Microsoft ships a default list (historically 50+ high-risk extensions), and you can customize it to block additional file types common in malware delivery, like HTML droppers or password-protected archives. Messages with those file types are treated as malware and quarantined. Do this centrally rather than relying on users to “spot a suspicious attachment.” Automation beats user judgment here. Use custom quarantine policies that require admin approval (instead of self-release) If you are not using the Preset Policies, you can create a quarantine policy to customize the user experience with quarantined messages. For anything phishing-related, I recommend creating a custom policy that allows the user to “request release from admin.” That means users can raise a hand if they think something should not have been quarantined, and an Incident is created for administrators to review before it is released. To me, this strikes the best balance between security and productivity. This keeps containment intact and gives the SOC final say. It also creates an auditable workflow: who asked for release, who approved it, and why. Bulk Mail Insights: Tune BCL using your tenant’s mail Bulk email (“graymail”) is noisy. Payroll alerts and benefits notifications are legitimate, but they look exactly like phishing. At the same time, true marketing email (graymail) are also bulk. The traditional response (“just whitelist the sender so users stop complaining”) often opens the door for attacker-looking mail to get delivered straight to executives. Defender for Office 365 gives you something better: Bulk Mail Insights (a.k.a. Bulk senders insight). This report shows, over the last 60 days, how much mail at each Bulk Complaint Level (BCL 1–9) was delivered vs. blocked, which senders are generating volume, and where users are likely to experience false positives or false negatives. You can interactively simulate raising or lowering the bulk threshold and immediately see, “If we tighten BCL, how many more messages get quarantined? How many of those were probably junk? How many were probably wanted?” Why this matters: You stop tuning bulk mail based on anecdotes and start tuning based on real telemetry from your own tenant. You can justify decisions to leadership and audit (“We set BCL at X because here is the simulation showing false positive/false negative impact”). You avoid blanket allow rules. Instead, you adjust bulk thresholds for legitimate high-volume senders while keeping stricter actions for everyone else. Note: You can modify the BCL threshold in your default or custom anti-spam policy, but you can’t change it inside the Standard (BCL:6) or Strict (BCL:5) preset security policies themselves. Standard and Strict are already aligned to Microsoft’s recommended baselines. Additional Links: https://security.microsoft.com/senderinsights https://learn.microsoft.com/en-us/defender-office-365/anti-spam-bulk-senders-insight https://learn.microsoft.com/en-us/defender-office-365/mdo-deployment-guide#step-2-configure-threat-policies https://learn.microsoft.com/en-us/defender-office-365/preset-security-policies#policy-settings-in-preset-security-policies https://learn.microsoft.com/en-us/defender-office-365/recommended-settings-for-eop-and-office365 https://www.microsoft.com/en-us/security/blog/2025/07/17/transparency-on-microsoft-defender-for-office-365-email-security-effectiveness/ Anti-Phishing / Impersonation Tuning: Protect the people attackers actually spoof Business email compromise very often looks like this: “Hi, can you handle this payment today?” sent from an address that looks like your CFO or CEO. Microsoft Defender for Office 365 includes targeted impersonation protection, but it only really works if you target your most targeted executives. Here are five pitfalls we see over and over: Empty or stale VIP list Populate “users to protect / high value targets” with executives, finance approvers, legal, anyone authorized to move money or data. Review it monthly. Roles change, and you only get a finite number of protected users (for example, ~350 entries). An out-of-date list silently weakens protection for the people attackers actually impersonate. Phishing email threshold stuck at 1 forever We find organizations that are not using the preset policies have left their phishing threshold values at the default “1” because of initial false positives. We recommend raising it to match the Standard Preset (“3”) or Strict (“4”). Weak action If suspicious “CFO” mail just goes to Junk, users can still act on it. High-confidence impersonation of executives should be quarantined with AdminOnly or request-release workflows, not left in end-user control. Tie this back to the custom quarantine policies (discussed later in this article). Common-name overload If your CEO’s name is something extremely common, you’ll get noise. Expect it. Don’t “turn off” protection for that name — add that address to the Trusted Senders otherwise it will be blocked as an impersonation attempt. Use Trusted Senders / Trusted Domains for known-good partners and vendors so you keep protection high without drowning in alerts. Add only legitimate senders/domains to the Trusted Senders or Trusted Domains instead of lowering enforcement. No scheduled review This control can’t be “set and forget.” Put impersonation tuning and spoof intelligence review on a monthly checklist. That lets you catch new vendors pretending to be finance, new “urgent wire” lure patterns, and any drift from Standard / Strict baseline that Configuration analyzer will also call out. When done right, impersonation protection is not just “spam reduction.” It’s payment fraud prevention. Automated Investigation & Response (AIR): Let Defender remove malicious email before your SOC has to! One of the biggest wins you can land quickly is letting Microsoft Defender for Office 365 automatically remove clusters of malicious messages — without waiting for analyst approval on every single item. Here’s how it works. Defender’s Automated Investigation and Response (AIR) groups messages into “clusters” based on shared indicators like the same malicious URL or malicious file hash. If you opt in to automatic remediation for those cluster types, AIR will go find every matching copy of that threat across the tenant and soft-delete those messages, not just the one that triggered the alert. Why this matters: It turns post-delivery cleanup into something that happens immediately instead of “after Tier 1 has time to review.” It removes known-bad messages from user mailboxes (and related collaboration surfaces like Teams) before a target can click. It dramatically cuts the classic “Did anyone else get this?” manual hunt-and-purge work that burns out SOC analysts. When you configure AIR automation settings in the Microsoft Defender portal (Settings > Email & collaboration > MDO automation settings), you’ll see checkboxes for “Similar files” and “Similar URLs.” Selecting those opts you into automatic soft delete for those clusters. Today, soft delete is the default supported action for these automatic remediations, enabling administrators to undo a deletion, if necessary. This is Defender for Office 365 Plan 2 / Microsoft 365 E5 functionality, and it’s exactly the kind of “secure operations by default” Microsoft has been pushing: detect, contain, and clean up automatically, then let humans investigate with context instead of manually chasing every copy of a phish. This automation triggers when malicious clusters are detected. For automating the classification and triage of user-submitted phishing incidents, check out the Security Copilot Phishing Triage Agent (Preview). Additional Links: GA Announcement: https://techcommunity.microsoft.com/blog/-/auto-remediation-of-malicious-messages-in-automated/4418047 Docs: https://learn.microsoft.com/en-us/defender-office-365/air-auto-remediation Final Thoughts Defender for Office 365 is more than “email filtering.” It’s part of your security operations surface. The decisions you make about automated remediation (AIR), bulk mail thresholds, Safe Links/Attachment behavior, outbound forwarding, connector hygiene, quarantine policy, and impersonation tuning directly determine how easy — or how hard — it is for an attacker to penetrate your organization. Microsoft’s current guidance is clear: Apply Standard or Strict preset security policies so users get the recommended protections by default (for example, Safe Links with no click-through). If you must use a custom policy, review the recommendations from the Configuration analyzer monthly for new recommendations, or to catch and correct drift whenever someone weakens a control. Align internal procedures with the excellent Security Operations Guide for Defender for Office 365. Lock down quarantine so only admins can release high-risk messages, with an auditable “request release” path for users. Turn on automated remediation so Defender can remove malicious clusters of messages before anyone clicks. Organizations that land these basics are in a dramatically better position during an incident. Instead of “Who clicked the link?” you can say, “AIR already pulled it, users were blocked from clicking through, outbound forwarding is disabled, and impersonation of the CFO is quarantined for admin review.” That’s what “secure by default” actually looks like in production. ________ This blog was authored by Joe Stocker, Microsoft Security MVP and Founder of Patriot Consulting Technology Group, in partnership with the Microsoft Defender for Office 365 product team, including Paul Newell, Senior Product Manager, Microsoft Defender for Office 365. Joe Stocker Microsoft Security MVP Learn More and Meet the Author 1) December 16th Ask the Experts Webinar: Microsoft Defender for Office 365 | Ask the Experts: Tips and Tricks (REGISTER HERE) DECEMBER 16, 8 AM US Pacific You’ve watched the latest Microsoft Defender for Office 365 best practices videos and read the blog posts by the esteemed Microsoft Most Valuable Professionals (MVPs). Now bring your toughest questions or unique situations straight to the experts. In this interactive panel discussion, Microsoft MVPs will answer your real-world scenarios, clarify best practices, and highlight practical tips surfaced in the recent series. We’ll kick off with a who’s who and recent blog/video series recap, then dedicate most of the time to your questions across migration, SOC optimization, fine-tuning configuration, Teams protection, and even Microsoft community engagement. Come ready with your questions (or pre-submit here) for the expert Security MVPs on camera, or the Microsoft Defender for Office 365 product team in the chat! REGISTER NOW for 12/16. 2) Additional MVP Tips and Tricks Blogs and Videos in this Four-Part Series: Microsoft Defender for Office 365: Migration & Onboarding by Purav Desai Safeguarding Microsoft Teams with Microsoft Defender for Office 365 by Pierre Thoor You may be right after all! Disputing Submission Responses in Microsoft Defender for Office 365 by Mona Ghadiri (This post) "Microsoft Defender for Office 365: Fine-Tuning" by Joe Stocker Learn and Engage with the Microsoft Security Community Log in and follow this Microsoft Defender for Office 365 blog and follow/post in the Microsoft Defender for Office 365 discussion space. Follow = Click the heart in the upper right when you're logged in 🤍 Learn more about the Microsoft MVP Program. Join the Microsoft Security Community and be notified of upcoming events, product feedback surveys, and more. Get early access to Microsoft Security products and provide feedback to engineers by joining the Microsoft Customer Connection Community. Join the Microsoft Security Community LinkedIn
