Turn on ATP for SharePoint, OneDrive, and Microsoft Teams

Important

Welcome to Microsoft Defender for Office 365, the new name for Office 365 Advanced Threat Protection. Read more about this and other updates here. We'll be updating names in products and in the docs in the near future.

Office 365 Advanced Threat Protection (ATP) for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files. For more information, see ATP for SharePoint, OneDrive, and Microsoft Teams.

This article contains the steps for enabling and configuring ATP for SharePoint, OneDrive, and Microsoft Teams.

What do you need to know before you begin?

Step 1: Use the Security & Compliance Center to turn on ATP for SharePoint, OneDrive, and Microsoft Teams

  1. In the Security & Compliance Center, go to Threat management > Policy > ATP Safe Attachments, and click Global settings.

  2. In the Global settings fly out that appears, go to the Turn on ATP for SharePoint, OneDrive, and Microsoft Teams setting. Move the toggle to the right Toggle on to turn on ATP for SharePoint, OneDrive, and Microsoft Teams.

    When you're finished, click Save.

Use Exchange Online PowerShell to turn on ATP for SharePoint, OneDrive, and Microsoft Teams

If you'd rather use PowerShell to turn on ATP for SharePoint, OneDrive, and Microsoft Teams, connect to Exchange Online PowerShell and run the following command:

Set-AtpPolicyForO365 -EnableATPForSPOTeamsODB $true

For detailed syntax and parameter information, see Set-AtpPolicyForO365.

By default, users can't open, move, copy, or share malicious files that are detected by ATP. However, they can delete and download malicious files.

To prevent users from downloading malicious files, connect to SharePoint Online PowerShell and run the following command:

Set-SPOTenant -DisallowInfectedFileDownload $true

Notes:

  • This setting affects both users and admins.
  • People can still delete malicious files.

For detailed syntax and parameter information, see Set-SPOTenant.

You can create an alert policy that notifies you and other admins when ATP for SharePoint, OneDrive, and Microsoft Teams detects a malicious file. To learn more about alerts, see Create activity alerts in the Security & Compliance Center.

  1. In the Security & Compliance Center, go to Alerts > Alert policies or open https://protection.office.com/alertpolicies.

  2. On the Alert policies page, click New alert policy.

  3. The New alert policy wizard opens in a fly out. On the Name your alert page, configure the following settings:

    • Name: Type a unique and descriptive name. For example, Malicious Files in Libraries.
    • Description: Type an optional description. For example, Notifies admins when malicious files are detected in SharePoint Online, OneDrive, or Microsoft Teams.
    • Severity: Leave the default value Low selected, or select Medium or High.
    • Select a category: Select Threat management.

    When you're finished, click Next.

  4. On the Create alert settings page, configure the following settings:

    • What do you want to alert on?: Activity is: Select Detected malware in file.
    • How do you want the alert to be triggered?: Leave the default value Every time an activity matches the rule selected.

    When you're finished, click Next.

  5. On the Set your recipients page, configure the following settings:

    • Send email notifications: Verify this setting is selected. In the Email recipients box, select one or more global administrators, security administrators, or security readers who should receive notification when a malicious file is detected.
    • Daily notification limit: Leave the default value No limit selected.

    When you're finished, click Next.

  6. On the Review your settings page, review the settings, and click Edit in any of the sections to make changes.

    In the Do you want to turn the policy on right away? section, leave the default value Yes, turn it on right away selected.

    When you're finished, click Finish.

Use Security & Compliance PowerShell to create an alert policy for detected files

If you'd rather use PowerShell to create the same alert policy as described in the previous section, connect to Security & Compliance Center PowerShell and run the following command:

New-ActivityAlert -Name "Malicious Files in Libraries" -Description "Notifies admins when malicious files are detected in SharePoint Online, OneDrive, or Microsoft Teams" -Category ThreatManagement -Operation FileMalwareDetected -NotifyUser "admin1@contoso.com","admin2@contoso.com"

Note: The default Severity value is Low. To specify Medium or High, include the Severity parameter and value in the command.

For detailed syntax and parameter information, see New-ActivityAlert.

How do you know these procedures worked?

  • To verify that you've successfully turned on ATP for SharePoint, OneDrive, and Microsoft Teams, use either of the following steps:

    • In the Security & Compliance Center, go to Threat management > Policy > ATP Safe Attachments, select Global settings, and verify the value of the Turn on ATP for SharePoint, OneDrive, and Microsoft Teams setting.

    • In Exchange Online PowerShell, run the following command to verify the property setting:

      Get-AtpPolicyForO365 | Format-List EnableATPForSPOTeamsODB
      

      For detailed syntax and parameter information, see Get-AtpPolicyForO365.

  • To verify that you've successfully blocked people from downloading malicious files, open SharePoint Online PowerShell, and run the following command to verify the property value:

    Get-SPOTenant | Format-List DisallowInfectedFileDownload
    

    For detailed syntax and parameter information, see Get-SPOTenant.

  • To verify that you've successfully configured an alert policy for detected files, use any of the following steps:

    • In the Security & Compliance Center, go to Alerts > Alert policies > select the alert policy, and verify the settings.

    • In Security & Compliance Center PowerShell, replace <AlertPolicyName> with the name of the alert policy, run the following command, and verify the property values:

      Get-ActivityAlert -Identity "<AlertPolicyName>"
      

      For detailed syntax and parameter information, see Get-ActivityAlert.

  • Use the Threat protection status report to view information about detected files in SharePoint, OneDrive, and Microsoft Teams. Specifically, you can use the View data by: Content > Malware view.