Set up Office 365 ATP Safe Links policies
- 7 minutes to read
-
Contributors
Important
This article is intended for Office 365 Enterprise customers. If you are using Outlook.com, Office 365 Home, or Office 365 Personal, and you're looking for information about Safe Links in Outlook, see Advanced Outlook.com security.
ATP Safe Links, a feature of Office 365 Advanced Threat Protection (ATP), can help protect your organization from malicious links used in phishing and other attacks. If you have the necessary permissions for the Office 365 Security & Compliance Center, you can set up ATP Safe Links policies to help ensure that when people click web addresses (URLs), your organization is protected. Your ATP Safe Links policies can be configured to scan URLs in email and URLs in Office documents.
New features are continually being added to ATP. As new features are added, you may need to make adjustments to your existing ATP Safe Links policies.
What to do
Review the prerequisites.
Review and edit the default ATP Safe Links policy that applies to everyone. For example, you can set up your custom blocked URLs list for ATP Safe Links.
Add or edit policies for specific email recipients, including setting up your custom "Do not rewrite" URLs list for ATP Safe Links.
Learn about ATP Safe Links policy options (in this article), including settings for recent changes.
Step 1: Review the prerequisites
Make sure that your organization has Office 365 Advanced Threat Protection.
Make sure that you have the necessary permissions. To define (or edit) ATP policies, you must be assigned an appropriate role. Some examples are described in the following table:
Role Where/how assigned Office 365 Global Administrator The person who signs up to buy Office 365 is a global admin by default. (See About Office 365 admin roles to learn more.) Security Administrator Azure Active Directory admin center (https://aad.portal.azure.com) Exchange Online Organization Management Exchange admin center (https://outlook.office365.com/ecp)
or
PowerShell cmdlets (See Exchange Online PowerShell)To learn more about roles and permissions, see Permissions in the Office 365 Security & Compliance Center.
Make sure that Office clients are configured to use Modern Authentication (this is for ATP Safe Links protection in Office documents).
Learn about ATP Safe Links policy options (in this article).
Allow up to 30 minutes for your new or updated policy to spread to all Office 365 datacenters.
Step 2: Define (or review) the ATP Safe Links policy that applies to everyone
When you have Office 365 Advanced Threat Protection, you will have a default ATP Safe Links policy that applies to everyone in your organization. Make sure to review, and if needed, edit your default policy.
Go to https://protection.office.com and sign in with your work or school account.
In the left navigation, under Threat management, choose Policy > Safe Links.
In the Policies that apply to the entire organization section, select Default, and then choose Edit (the Edit button resembles a pencil).
In the Block the following URLs section, specify one or more URLs that you want to prevent people in your organization from visiting. (See Set up a custom blocked URLs list using ATP Safe Links.)
In the Settings that apply to content except email section, select (or clear) the options you want to use. (We recommend that you select all the options.)
Choose Save.
Step 3: Add (or edit) ATP Safe Links policies that apply to specific email recipients
After you have reviewed (or edited) the default ATP Safe Links policy that applies to everyone, your next step is to define additional policies that would apply to specific recipients. For example, you can specify exceptions to your default policy by defining an additional policy.
Go to https://protection.office.com and sign in with your work or school account.
In the left navigation, under Threat management, choose Policy.
Choose Safe Links.
In the Policies that apply to specific recipients section, choose New (the New button resembles a plus sign ( +)).
Specify the name, description, and settings for your policy.
Example: To set up a policy called "no direct click through" that does not allow people in a certain group in your organization to click through to a specific website without ATP Safe Links protection, you might specify the following recommended settings:
In the Name box, type no direct click through.
In the Description box, type a description like, Prevents people in certain groups from clicking through to a website without ATP Safe Links verification.
In the Select the action section, choose On.
Select Use Safe Attachments to scan downloadable content.
If this option is available, select Apply Safe Links to messages sent within the organization.
Select Do not allow user to click through to original URL.
(This is optional) In the Do not rewrite the following URLs section, specify one or more URLs that are considered to be safe for your organization. (See Set up a custom "Do not rewrite" URLs list using ATP Safe Links)
In the Applied To section, choose The recipient is a member of, and then choose the group(s) you want to include in your policy. Choose Add, and then choose OK.
- Choose Save.
Step 4: Learn about ATP Safe Links policy options
As you set up or edit your ATP Safe Links policies, will see several options available. In case you are wondering what these options are, the following table describes each one and its effect. Remember that there are two main kinds of ATP Safe Links policies to define or edit:
- a default policy that applies to everyone; and
- additional policies for specific recipients
Default policy options
Default policy options apply to everyone in your organization.
| This option | Does this |
|---|---|
| Block the following URLs |
Enables your organization to have a custom list of URLs that are automatically blocked. When users click a URL in this list, they'll be taken to a warning page that explains why the URL is blocked. To learn more, see Set up a custom blocked URLs list using Office 365 ATP Safe Links. |
| Office 365 ProPlus, Office for iOS and Android |
When this option is selected, ATP Safe Links protection is applied to URLs in Word, Excel, and PowerPoint files on Windows or Mac OS, Office documents on iOS, or Android devices, Visio 2016 on Windows, and Office Online (Word Online, PowerPoint Online, Excel Online, and OneNote Online), provided the user has signed into Office 365. |
| Don't track when users click ATP Safe Links |
When this option is selected, click data for URLs in Word, Excel, PowerPoint, and Visio documents is not stored. |
| Don't let users click through ATP Safe Links to original URL |
When this option is selected, users cannot proceed past a warning page to a URL that is determined to be malicious. |
Policies that apply to specific email recipients
| This option | Does this |
|---|---|
| Off |
Does not scan URLs in email messages. Enables you to define an exception rule, such as a rule that does not scan URLs in email messages for a specific group of recipients. |
| On |
Rewrites URLs to route users through ATP Safe Links protection when the users click URLs in email messages. Checks a URL when clicked against a list of blocked or malicious URLs. |
| Use Safe Attachments to scan downloadable content |
When this option is selected, URLs that point to downloadable content are scanned. |
| Apply Safe Links to messages sent within the organization |
When this option is available and selected, ATP Safe Links protection is applied to email messages sent between people in your organization, provided the email accounts are hosted in Office 365. |
| Do not track user clicks |
When this option is selected, click data for URLs in email from external senders is not stored. URL click tracking for links within email messages sent within the organization is currently not supported. |
| Do not allow users to click through to original URL |
When this option is selected, users cannot proceed past a warning page to a URL that is determined to be malicious. |
| Do not rewrite the following URLs |
Leaves URLs as they are. Keeps a custom list of safe URLs that don't need scanning for a specific group of email recipients in your organization. See Set up a custom "Do not rewrite" URLs list using ATP Safe Links for more details, including recent changes to support for wildcard asterisks (*). |
Next steps
Once your ATP Safe Links policies are in place, you can see how ATP is working for your orgnization by viewing reports. See the following resources to learn more:
Stay on top of new features coming to ATP. visit the Microsoft 365 Roadmap and learn about new features that are being added to ATP.
Feedback
Send feedback about:
Loading feedback...