Safe Documents in Microsoft 365 E5
What do you need to know before you begin?
Safe Documents is available only to users with Microsoft 365 E5 or Microsoft 365 E5 Security licenses. These licenses are not included in Microsoft Defender for Office 365 plans.
Safe Documents is supported in Microsoft 365 Apps for enterprise (formerly known as Office 365 ProPlus) version 2004 or later.
To connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell.
You need to be assigned permissions in the Security & Compliance Center before you can do the procedures in this article:
- To configure Safe Documents settings, you need to be a member of the Organization Management or Security Administrator role groups.
- For read-only access to Safe Documents settings, you need to be a member of the Global Reader or Security Reader role groups.
For more information, see Permissions in the Security & Compliance Center.
- Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions in the Security & Compliance Center and permissions for other features in Microsoft 365. For more information, see About admin roles.
- The View-Only Organization Management role group in Exchange Online also gives read-only access to the feature.
How does Microsoft handle your data?
To keep you protected, Safe Documents sends files to the Microsoft Defender for Endpoint cloud for analysis. Details on how Microsoft Defender for Endpoint handles your data can be found here: Microsoft Defender for Endpoint data storage and privacy.
Files sent by Safe Documents are not retained in Defender beyond the time needed for analysis (typically, less than 24 hours).
Use the Security & Compliance Center to configure Safe Documents
In the Security & Compliance Center, go to Threat management > Policy > ATP Safe Attachments, and then click Global settings.
In the Global settings fly out that appears, configure the following settings:
Turn on Safe Documents for Office clients: Move the toggle to the right to turn on the feature: .
Allow people to click through Protected View even if Safe Documents identifies the file as malicious: We recommend that you leave this option turned off (leave the toggle to the left: ).
When you're finished, click Save.
Use Exchange Online PowerShell to configure Safe Documents
Use the following syntax:
Set-AtpPolicyForO365 -EnableSafeDocs <$true | $false> -AllowSafeDocsOpen <$true | $false>
- The EnableSafeDocs parameter enables or disables Safe Documents for the entire organization.
- The AllowSafeDocsOpen parameter allows or prevents users from leaving Protected View (that is, opening the document) if the document has been identified as malicious.
This example enables Safe Documents for the entire organization, and prevents users from opening documents that have been identified as malicious from Protected View.
Set-AtpPolicyForO365 -EnableSafeDocs $true -AllowSafeDocsOpen $false
For detailed syntax and parameter information, see Set-AtpPolicyForO365.
How do I know this worked?
To verify that you've enabled and configured Safe Documents, do any of the following steps:
In the Security & Compliance Center, go to Threat management > Policy > ATP Safe Attachments, click Global settings, and verify the Turn on Safe Documents for Office clients and Allow people to click through Protected View even if Safe Documents identifies the file as malicious settings.
Run the following command in Exchange Online PowerShell and verify the property values:
Get-AtpPolicyForO365 | Format-List *SafeDocs*
The following files are available to test Safe Documents protection. These documents are similar to the EICAR.TXT file for testing anti-malware and anti-virus solutions. The files are not harmful, but they will trigger Safe Documents protection.