Turn on Office 365 ATP for SharePoint, OneDrive, and Microsoft Teams
This article is intended for business customers who have Office 365 Advanced Threat Protection. If you are a home user looking for information about Safe Links in Outlook, see Advanced Outlook.com security.
Office 365 ATP for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files. When a malicious file is detected, that file is blocked so that no one can open, copy, move, or share it until further actions are taken by the organization's security team. Read this article to turn on ATP for SharePoint, OneDrive, and Teams, set up alerts to be notified about detected files, and take your next steps.
To define (or edit) ATP policies, you must be assigned an appropriate role. Some examples are described in the following table:
|Office 365 Global Administrator||The person who signs up to buy Office 365 is a global admin by default. (See About Office 365 admin roles to learn more.)|
|Security Administrator||Azure Active Directory admin center (https://aad.portal.azure.com)|
|Exchange Online Organization Management||Exchange admin center (https://outlook.office365.com/ecp)
PowerShell cmdlets (See Exchange Online PowerShell)
Turn on ATP for SharePoint, OneDrive, and Microsoft Teams
Before you begin this procedure, make sure that audit logging is already turned on for your Office 365 environment. This is typically done by someone who has the Audit Logs role assigned in Exchange Online. For more information, see Turn Office 365 audit log search on or off.
Go to https://protection.office.com, and sign in with your work or school account.
In the Office 365 Security & Compliance Center, in the left navigation pane, under Threat management, choose Policy > Safe Attachments.
Select Turn on ATP for SharePoint, OneDrive, and Microsoft Teams.
(Recommended) As a global administrator or a SharePoint Online administrator, run the Set-SPOTenant cmdlet with the DisallowInfectedFileDownload parameter set to true.
Setting the parameter to true blocks all actions (except Delete) for detected files. People cannot open, move, copy, or share detected files.
Setting the parameter to false blocks all actions except Delete and Download. People can choose to accept the risk and download a detected file.
Allow up to 30 minutes for your changes to spread to all Office 365 datacenters.
(Recommended) Proceed to set up alerts for detected files.
To learn more about using PowerShell with Office 365, see Manage Office 365 with PowerShell.
To learn more about the user experience when a file has been detected as malicious, see What to do when a malicious file is found in SharePoint Online, OneDrive, or Microsoft Teams.
Set up alerts for detected files
To receive notification when a file in SharePoint Online, OneDrive for Business, or Microsoft Teams has been identified as malicious, you can set up an alert.
In the Office 365 Security & Compliance Center, choose Alerts > Manage alerts.
Choose New alert policy.
Specify a name for the alert. For example, you could type Malicious Files in Libraries.
Type a description for the alert. For example, you could type Notifies admins when malicious files are detected in SharePoint Online, OneDrive, or Microsoft Teams.
In the Send this alert when... section, do the following:
a. In the Activities list, choose Detected malware in file.
b. Leave the Users field empty.
In the Send this alert to... section, select one or more global administrators, security administrators, or security readers who should receive notification when a malicious file is detected.
To learn more about alerts, see Create activity alerts in the Office 365 Security & Compliance Center.