Get started using Automated investigation and response (AIR) in Office 365

Office 365 Advanced Threat Protection (Office 365 ATP) Plan 2 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of this can help. With AIR, your security operations team can focus on higher-priority tasks without losing sight of alerts that are triggered.

This article describes the overall flow of AIR, how to get AIR, and the required permissions to configure or use AIR capabilities.

The overall flow of AIR

At a high level, an alert is triggered, and a security playbook starts an automated investigation, which results in findings and recommendations. Here's the overall flow of AIR, step by step:

  1. An automated investigation is initiated in one of the following ways:

  2. While an automated investigation runs, it gathers additional data about the email in question and entities related to that email. Such entities can include files, URLs, and recipients. The investigation's scope can increase as new and related alerts are triggered.

  3. During and after an automated investigation, details and results are available to view. Results include recommended actions that can be taken to respond and remediate any threats that were found. In addition, a playbook log is available that tracks all investigation activity.

    If your organization is using a custom reporting solution or a third-party solution, you can use the Office 365 Management Activity API to view information about automated investigations and threats.

  4. Your security operations team reviews the investigation results and recommendations, and approves or rejects remediation actions.

    As pending remediation actions are approved (or rejected), the automated investigation completes.


In Office 365 ATP, no remediation actions are taken automatically. Remediation actions are taken only upon approval by your organization's security team.

During and after an automated investigation process, your security team can do the following:


For more details, see How AIR works.

How to get AIR

Office 365 AIR capabilities are included in Office 365 Advanced Threat Protection Plan 2. However, your Office 365 ATP policies should be configured in order for AIR to work as expected. In addition, make sure to review and potentially configure your organization's alert policies.

Microsoft 365 provides many built-in alert policies that help identify Exchange admin permissions abuse, malware activity, potential external and internal threats, and information governance risks. Several of the default alert policies can trigger automated investigations. These include the following:

  • A potentially malicious URL click is detected

  • An email message is reported by a user as phish

  • Email messages containing malware are removed after delivery

  • Email messages containing phish URLs are removed after delivery

  • Suspicious email sending patterns are detected

  • A user is restricted from sending email

Learn more about alerts and AIR.

Required permissions to use AIR capabilities

Permissions are granted through certain roles, such as those that are described in the following table:

Task Role(s) required
To set up AIR features One of the following roles:
- Global Administrator
- Security Administrator
These roles can be assigned in Azure Active Directory or in the Security & Compliance Center.
To approve or reject recommended actions One of the following roles, assigned in Azure Active Directory or in the Security & Compliance Center):
- Global Administrator
- Security Administrator
- Security Reader
--- and ---
- Search and Purge (this role is assigned only in the Security & Compliance Center. You might have to create a new role group there and add the Search and Purge role to that new role group.)

Office 365 ATP Plan 2 licenses should be assigned to:

  • Security administrators (including global administrators)
  • Your organization's security operations team (including security readers and those with the Search and Purge role)
  • End users

In addition, Office 365 ATP policies must be defined and applied in order for protection to be in place.

Next steps