User tags in Microsoft Defender for Office 365

Tip

Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub. Learn about who can sign up and trial terms here.

Applies to:

User tags are identifiers for specific groups of users in Microsoft Defender for Office 365. There are two types of user tags:

  • System tags: Currently, Priority accounts is the only type of system tag.
  • Custom tags: You create these user tags yourself.

If your organization has Defender for Office 365 Plan 2 (included in your subscription or as an add-on), you can create custom user tags in addition to using the priority accounts tag.

Note

Currently, you can only apply user tags to mailbox users.

After you apply system tags or custom tags to users, you can use those tags as filters in alerts, reports, and investigations:

This article explains how to configure user tags in the Microsoft 365 Defender portal. There are no cmdlets in Microsoft 365 Defender portal to manage user tags.

To see how user tags are part of the strategy to help protect high-impact user accounts, see Security recommendations for priority accounts in Microsoft 365.

What do you need to know before you begin?

  • You open the Microsoft 365 Defender portal at https://security.microsoft.com. To go directly to the User tags page, use https://security.microsoft.com/securitysettings/userTags.

  • You need to be assigned permissions in the Microsoft 365 Defender portal before you can do the procedures in this article:

    • To create, modify, and delete custom user tags, you need to be a member of the Organization Management or Security Administrator role groups.
    • To add and remove members from the Priority Account system tag, you need to be a member of the Security Administrator and Exchange Admin role groups.
    • To add and remove members from existing custom user tags, you need to be a member of the Organization Management or Security Administrator role groups.
    • For read-only access to user tags, you need to be a member of the Global Reader, Security Operator, or Security Reader role groups.

    For more information, see Permissions in the Microsoft 365 Defender portal.

    Note

    • Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions in the Microsoft 365 Defender portal and permissions for other features in Microsoft 365. For more information, see About admin roles.

    • User tag management is controlled by the Tag Reader and Tag Manager roles.

  • You can also manage and monitor priority accounts in the Microsoft 365 admin center. For instructions, see Manage and monitor priority accounts.

  • For information about securing privileged accounts (admin accounts), see this topic.

Use the Microsoft 365 Defender portal to create user tags

  1. In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Settings > Email & collaboration > User tags. To go directly to the User tags page, use https://security.microsoft.com/securitysettings/userTags.

  2. On the User tags page, click Create tag icon. Create tag.

  3. The Create tag wizard opens in a new flyout. On the Define tag page, configure the following settings:

    • Name: Enter a unique, descriptive name for the tag. This is the value that you'll see and use. Note that you can't rename a tag after you create it.
    • Description: Enter an optional description for the tag.

    When you're finished, click Next.

  4. On the Assign members page, do either of the following steps:

    • Click Add members icon. Add members. In the fly out that appears, do any of the following steps to add individual users or groups:

      • Click in the box and scroll through the list to select a user or group.
      • Click in the box and start typing to filter the list and select a user or group.
      • To add additional values, click in an empty area in the box.
      • To remove individual entries, click Remove entry icon. next to the entry in the box.
      • To remove all entries, click Remove entry icon. on the Selected nn users and nn groups item below the box.

      When you're finished, click Add.

      Back on the Assign members page, you can also remove entries by clicking Delete icon. next to the entry.

    • Click Import to select a text file that contains the email addresses of the users or groups. Be sure the text file contains one entry per line.

    When you're finished, click Next.

  5. On the Review tag page that appears, review your settings. You can select Edit in each section to modify the settings within the section. Or you can click Back or select the specific page in the wizard.

    When you're finished, click Submit, and then click Done.

Use the Microsoft 365 Defender portal to view user tags

  1. In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Settings > Email & collaboration > User tags. To go directly to the User tags page, use https://security.microsoft.com/securitysettings/userTags.

  2. On the User tags page, the following properties are displayed in the list of user tags:

    • Tag: The name of the user tag. Note that this includes the built-in Priority account system tag.
    • Applied to: The number of members
    • Last modified
    • Created on
  3. When you select a user tag by clicking on the name, the details are displayed in a flyout.

Use the Microsoft 365 Defender portal to modify user tags

  1. In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Settings > Email & collaboration > User tags. To go directly to the User tags page, use https://security.microsoft.com/securitysettings/userTags.

  2. On the User tags page, select the user tag from the list, and then click Edit tag icon. Edit tag.

  3. In the details flyout that appears, the same wizard and settings are available as described in the Use the Microsoft 365 Defender portal to create user tags section earlier in this article.

    Notes:

    • The Define tag page is not available for the built-in Priority account system tag, so you can't rename this tag or change the description.
    • You can't rename a custom tag, but you can change the description.

Use the Microsoft 365 Defender portal to remove user tags

Note

You can't remove the built-in Priority account system tag.

  1. In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Settings > Email & collaboration > User tags. To go directly to the User tags page, use https://security.microsoft.com/securitysettings/userTags.

  2. On the User tags page, select the user tag from the list, and then click Delete tag icon. Delete tag.

  3. Read the warning in the confirmation dialog that appears, and then click Yes, remove.

More information

Configure and review priority accounts in Microsoft Defender for Office 365