Safe Documents in Microsoft 365 E5/A5

Important

The improved Microsoft 365 Defender portal is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 Defender portal. Learn what's new.

Applies to

Safe Documents is a premium feature that uses the cloud backend of Microsoft Defender for Endpoint to scan opened Office documents in Protected View or Application Guard for Office.

Users don't need Defender for Endpoint installed on their local devices to get Safe Documents protection. Users get Safe Documents protection if all of the following requirements are met:

  • Safe Documents is enabled in the organization as described in this article.

  • Licenses from a required licensing plan are assigned to the users. Safe Documents is controlled by the Office 365 SafeDocs (or SAFEDOCS or bf6f5520-59e3-4f82-974b-7dbbc4fd27c7) service plan (also known as a service). This service plan is available in the following licensing plans (also known as license plans, Microsoft 365 plans, or products):

    • Microsoft 365 A5 for Faculty
    • Microsoft 365 A5 for Students
    • Microsoft 365 E5
    • Microsoft 365 E5 Security

    Safe Documents is not included in Microsoft Defender for Office 365 licensing plans.

    For more information, see Product names and service plan identifiers for licensing.

  • They're using Microsoft 365 Apps for enterprise (formerly known as Office 365 ProPlus) version 2004 or later.

What do you need to know before you begin?

  • You open the Microsoft 365 Defender portal at https://security.microsoft.com. To go directly to the Safe Attachments page, use https://security.microsoft.com/safeattachmentv2.

  • To connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell.

  • You need permissions in Exchange Online before you can do the procedures in this article:

    • To configure Safe Documents settings, you need to be a member of the Organization Management or Security Administrator role groups.
    • For read-only access to Safe Documents settings, you need to be a member of the Global Reader or Security Reader role groups.

    For more information, see Permissions in Exchange Online.

    Note

    • Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions and permissions for other features in Microsoft 365. For more information, see About admin roles.

    • The View-Only Organization Management role group in Exchange Online also gives read-only access to the feature.

How does Microsoft handle your data?

To keep you protected, Safe Documents sends files to the Microsoft Defender for Endpoint cloud for analysis. Details on how Microsoft Defender for Endpoint handles your data can be found here: Microsoft Defender for Endpoint data storage and privacy.

Files sent by Safe Documents are not retained in Defender for Endpoint beyond the time needed for analysis (typically, less than 24 hours).

Use the Microsoft 365 Defender portal to configure Safe Documents

  1. Open the Microsoft 365 Defender portal and go to Email & Collaboration > Policies & Rules > Threat policies > Safe Attachments in the Policies section.

  2. On the Safe Attachments page, click Global settings.

  3. In the Global settings fly out that appears, configure the following settings:

    • Turn on Safe Documents for Office clients: Move the toggle to the right to turn on the feature: Toggle on..
    • Allow people to click through Protected View even if Safe Documents identified the file as malicious: We recommend that you leave this option turned off (leave the toggle to the left: Toggle off.).

    When you're finished, click Save.

    Safe Documents settings after selecting Global settings on the Safe Attachments page.

Use Exchange Online PowerShell to configure Safe Documents

If you'd rather user PowerShell to configure Safe Documents, use the following syntax in Exchange Online PowerShell:

Set-AtpPolicyForO365 -EnableSafeDocs <$true | $false> -AllowSafeDocsOpen <$true | $false>
  • The EnableSafeDocs parameter enables or disables Safe Documents for the entire organization.
  • The AllowSafeDocsOpen parameter allows or prevents users from leaving Protected View (that is, opening the document) if the document has been identified as malicious.

This example enables Safe Documents for the entire organization, and prevents users from opening documents that have been identified as malicious from Protected View.

Set-AtpPolicyForO365 -EnableSafeDocs $true -AllowSafeDocsOpen $false

For detailed syntax and parameter information, see Set-AtpPolicyForO365.

Configure individual access to Safe Documents

If you want to selectively allow or block access to the Safe Documents feature, follow these steps:

  1. Turn on Safe Documents in the Microsoft 365 Defender portal or Exchange Online PowerShell as previously described in this article.
  2. Use Azure AD PowerShell to disable Safe Documents for specific users as described in Disable specific Microsoft 365 services for specific users for a specific licensing plan.

The name of the service plan to disable in PowerShell is SAFEDOCS.

For more information, see the following topics:

Onboard to the Microsoft Defender for Endpoint service to enable auditing capabilities

To enable auditing capabilities, the local device needs to have Microsoft Defender for Endpoint installed. To deploy Microsoft Defender for Endpoint, you need to go through the various phases of deployment. After onboarding, you can configure auditing capabilities in the Microsoft 365 Defender portal.

To learn more, see Onboard to the Microsoft Defender for Endpoint service. If you need additional help, refer to Troubleshoot Microsoft Defender for Endpoint onboarding issues.

How do I know this worked?

To verify that you've enabled and configured Safe Documents, do any of the following steps:

  • In the Microsoft 365 Defender portal, go to Email & Collaboration > Policies & Rules > Threat policies > Safe Attachments in the Policies section > Global settings, and verify the Turn on Safe Documents for Office clients and Allow people to click through Protected View even if Safe Documents identifies the file as malicious settings.

  • Run the following command in Exchange Online PowerShell and verify the property values:

    Get-AtpPolicyForO365 | Format-List *SafeDocs*
    
  • The following files are available to test Safe Documents protection. These files are similar to the EICAR.TXT file for testing anti-malware and anti-virus solutions. The files are not harmful, but they will trigger Safe Documents protection.