Admin review for reported messages
The improved Microsoft 365 Defender portal is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.
In Microsoft 365 organizations with Exchange Online mailboxes and Microsoft Defender for Office 365, admins can now send templated messages back to end users after they review reported messages. The templates can be customized for your organization and based on your admin's verdict as well.
The feature is designed to give feedback to your users but doesn't change the verdicts of messages in the system. To help Microsoft update and improve its filters, you need to submit messages for analysis using Admin submission.
You will only be able to mark and notify users of review results if the message was reported as a false positives or false negatives.
What do you need to know before you begin?
To modify the configuration for User submissions, you need to be a member of one of the following role groups:
You'll also need access to Exchange Online PowerShell. If the account that you're trying to use doesn't have access to Exchange Online PowerShell, you'll receive an error that says Specify an email address in your domain. For more information about enabling or disabling access to Exchange Online PowerShell, see the following topics:
Notify users from within the portal
In the Microsoft 365 Defender portal, go directly to the Submissions page: [https://security.microsoft.com/reportsubmission}(https://security.microsoft.com/reportsubmission).
Click User reported messages, and then select the message you want to mark and notify.
Select the Mark as and notify drop-down, and then select No threats found, Phishing, or Junk.
The reported message will be marked as either false positive or false negative, and an email will be automatically sent from within the portal notifying the user who reported the message.
Customize the messages used to notify users
In the Microsoft 365 Defender portal, go to Email & Collaboration > Policies & Rules > Threat policies > User reported message settings in the Others section.
On the User submissions page, if you want to specify the sender display name, check the box for Specify Office 365 email address to use as sender under the Email notifications for admin review results section, and enter in the name you wish to use. The email address that will be visible in Outlook and all the replies will go there.
If you want to customize any of the templates, click Customize email notification at the bottom of the page. In the flyout that opens, you can customize only the following:
- No threats found
When you're finished, click Save. To clear these values, click Discard on the User submissions page.