Recommended settings for EOP and Microsoft Defender for Office 365 security

Important

The improved Microsoft 365 Defender portal is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 Defender portal. Learn what's new.

Applies to

Exchange Online Protection (EOP) is the core of security for Microsoft 365 subscriptions and helps keep malicious emails from reaching your employee's inboxes. But with new, more sophisticated attacks emerging every day, improved protections are often required. Microsoft Defender for Office 365 Plan 1 or Plan 2 contain additional features that give admins more layers of security, control, and investigation.

Although we empower security administrators to customize their security settings, there are two security levels in EOP and Microsoft Defender for Office 365 that we recommend: Standard and Strict. Although customer environments and needs are different, these levels of filtering will help prevent unwanted mail from reaching your employees' Inbox in most situations.

To automatically apply the Standard or Strict settings to users, see Preset security policies in EOP and Microsoft Defender for Office 365.

This article describes the default settings, and also the recommended Standard and Strict settings to help protect your users. The tables contain the settings in the Microsoft 365 Defender portal and PowerShell (Exchange Online PowerShell or standalone Exchange Online Protection PowerShell for organizations without Exchange Online mailboxes).

Tip

You can't change the recommended Standard and Strict settings in the Microsoft 365 Defender portal. To change recommended values like Enable users to protect, you need to use Exchange Online PowerShell.

The Office 365 Advanced Threat Protection Recommended Configuration Analyzer (ORCA) module for PowerShell can help you (admins) find the current values of these settings. Specifically, the Get-ORCAReport cmdlet generates an assessment of anti-spam, anti-phishing, and other message hygiene settings. You can download the ORCA module at https://www.powershellgallery.com/packages/ORCA/.

Anti-spam, anti-malware, and anti-phishing protection in EOP

Anti-spam, anti-malware, and anti-phishing are EOP features that can be configured by admins. We recommend the following Standard or Strict configurations.

EOP anti-spam policy settings

To create and configure anti-spam policies, see Configure anti-spam policies in EOP.



Security feature name Default Standard Strict Comment
Bulk email threshold & spam properties
Bulk email threshold

BulkThreshold

7 6 4 For details, see Bulk complaint level (BCL) in EOP.
MarkAsSpamBulkMail On On On This setting is only available in PowerShell.
Increase spam score settings Off Off Off All of these settings are part of the Advanced Spam Filter (ASF). For more information, see the ASF settings in anti-spam policies section in this article.
Mark as spam settings Off Off Off Most of these settings are part of ASF. For more information, see the ASF settings in anti-spam policies section in this article.
Contains specific languages

EnableLanguageBlockList

LanguageBlockList

Off

$false

Blank

Off

$false

Blank

Off

$false

Blank

We have no specific recommendation for this setting. You can block messages in specific languages based on your business needs.
From these countries

EnableRegionBlockList

RegionBlockList

Off

$false

Blank

Off

$false

Blank

Off

$false

Blank

We have no specific recommendation for this setting. You can block messages from specific countries based on your business needs.
Test mode (TestModeAction) None None None This setting is part of ASF. For more information, see the ASF settings in anti-spam policies section in this article.
Actions Wherever you select Quarantine message, a Select quarantine policy box is available. Quarantine policies define what users are allowed to do to quarantined messages.

When you create a new anti-spam policy, a blank value means the default quarantine policy is used to define the historical capabilities for messages that were quarantined by that particular verdict (AdminOnlyAccessPolicy for High confidence phishing; DefaultFullAccessPolicy for everything else).

Admins can create and select custom quarantine policies that define more restrictive or less restrictive capabilities for users. For more information, see Quarantine policies.

Spam detection action

SpamAction

Move message to Junk Email folder

MoveToJmf

Move message to Junk Email folder

MoveToJmf

Quarantine message

Quarantine

High confidence spam detection action

HighConfidenceSpamAction

Quarantine message

MoveToJmf

Quarantine message

Quarantine

Quarantine message

Quarantine

Phishing detection action

PhishSpamAction

Quarantine message

MoveToJmf

Quarantine message

Quarantine

Quarantine message

Quarantine

High confidence phishing detection action

HighConfidencePhishAction

Quarantine message

Quarantine

Quarantine message

Quarantine

Quarantine message

Quarantine

Bulk detection action

BulkSpamAction

Move message to Junk Email folder

MoveToJmf

Move message to Junk Email folder

MoveToJmf

Quarantine message

Quarantine

Retain spam in quarantine for this many days

QuarantineRetentionPeriod

15 days* 30 days 30 days * The default value is 15 days in the default anti-spam policy, and in new anti-spam policies that you create in PowerShell. The default value is 30 days in new anti-spam policies that you create in the Microsoft 365 Defender portal.

This value also affects messages that are quarantined by anti-phishing policies. For more information, see Quarantined email messages in EOP.

Enable spam safety tips

InlineSafetyTipsEnabled

Selected

$true

Selected

$true

Selected

$true

Enable zero-hour auto purge (ZAP) for phishing messages

PhishZapEnabled

Selected

$true

Selected

$true

Selected

$true

Enable ZAP for spam messages

SpamZapEnabled

Selected

$true

Selected

$true

Selected

$true

Allow & block list
Allowed senders

AllowedSenders

None None None
Allowed sender domains

AllowedSenderDomains

None None None Adding domains to the allowed senders list is a very bad idea. Attackers would be able to send you email that would otherwise be filtered out.

Use the spoof intelligence insight and the Tenant Allow/Block List to review all senders who are spoofing sender email addresses in your organization's email domains or spoofing sender email addresses in external domains.

Blocked senders

BlockedSenders

None None None
Blocked sender domains

BlockedSenderDomains

None None None

ASF settings in anti-spam policies

The table in this section describes the Advanced Spam Filter (ASF) settings that are available in anti-spam policies. All of these settings are Off for both Standard and Strict levels. For more information about ASF settings, see Advanced Spam Filter (ASF) settings in EOP.



Security feature name Comment
Image links to remote sites (IncreaseScoreWithImageLinks)
Numeric IP address in URL (IncreaseScoreWithNumericIps)
URL redirect to other port (IncreaseScoreWithRedirectToOtherPort)
Links to .biz or .info websites (IncreaseScoreWithBizOrInfoUrls)
Empty messages (MarkAsSpamEmptyMessages)
Embed tags in HTML (MarkAsSpamEmbedTagsInHtml)
JavaScript or VBScript in HTML (MarkAsSpamJavaScriptInHtml)
Form tags in HTML (MarkAsSpamFormTagsInHtml)
Frame or iframe tags in HTML (MarkAsSpamFramesInHtml)
Web bugs in HTML (MarkAsSpamWebBugsInHtml)
Object tags in HTML (MarkAsSpamObjectTagsInHtml)
Sensitive words (MarkAsSpamSensitiveWordList)
SPF record: hard fail (MarkAsSpamSpfRecordHardFail)
Sender ID filtering hard fail (MarkAsSpamFromAddressAuthFail)
Backscatter (MarkAsSpamNdrBackscatter)
Test mode (TestModeAction) For ASF settings that support Test as an action, you can configure the test mode action to None, Add default X-Header text, or Send Bcc message (None, AddXHeader, or BccMessage). For more information, see Enable, disable, or test ASF settings.

EOP outbound spam policy settings

To create and configure outbound spam policies, see Configure outbound spam filtering in EOP.

For more information about the default sending limits in the service, see Sending limits.

Note

Outbound spam policies are not part of Standard or Strict preset security policies. The Standard and Strict values indicate our recommended values in the default outbound spam policy or custom policies that you create.



Security feature name Default Standard Strict Comment
Set an external message limit

RecipientLimitExternalPerHour

0 500 400 The default value 0 means use the service defaults.
Set an internal message limit

RecipientLimitInternalPerHour

0 1000 800 The default value 0 means use the service defaults.
Set a daily message limit

RecipientLimitPerDay

0 1000 800 The default value 0 means use the service defaults.
Restriction placed on users who reach the message limit

ActionWhenThresholdReached

Restrict the user from sending mail until the following day

BlockUserForToday

Restrict the user from sending mail

BlockUser

Restrict the user from sending mail

BlockUser

Automatic forwarding rules

AutoForwardingMode

Automatic - System-controlled

Automatic

Automatic - System-controlled

Automatic

Automatic - System-controlled

Automatic

Send a copy of outbound messages that exceed these limits to these users and groups

BccSuspiciousOutboundMail

BccSuspiciousOutboundAdditionalRecipients

Not selected

$false

Blank

Not selected

$false

Blank

Not selected

$false

Blank

We have no specific recommendation for this setting.

This setting only works in the default outbound spam policy. It doesn't work in custom outbound spam policies that you create.

Notify these users and groups if a sender is blocked due to sending outbound spam

NotifyOutboundSpam

NotifyOutboundSpamRecipients

Not selected

$false

Blank

Not selected

$false

Blank

Not selected

$false

Blank

The default alert policy named User restricted from sending email already sends email notifications to members of the TenantAdmins (Global admins) group when users are blocked due to exceeding the limits in policy. We strongly recommend that you use the alert policy rather than this setting in the outbound spam policy to notify admins and other users. For instructions, see Verify the alert settings for restricted users.

EOP anti-malware policy settings

To create and configure anti-malware policies, see Configure anti-malware policies in EOP.



Security feature name Default Standard Strict Comment
Protection settings
Enable the common attachments filter

EnableFileFilter

Not selected

$false

Selected

$true

Selected

$true

This setting quarantines messages that contain executable attachments based on file type, regardless of the attachment content.
Enable zero-hour auto purge for malware

ZapEnabled

Selected

$true

Selected

$true

Selected

$true

Quarantine policy AdminOnlyAccessPolicy AdminOnlyAccessPolicy AdminOnlyAccessPolicy When you create a new anti-malware policy, a blank value means the default quarantine policy is used to define the historical capabilities for messages that were quarantined as malware (AdminOnlyAccessPolicy).

Admins can create and select custom quarantine policies that define more capabilities for users. For more information, see Quarantine policies.

Recipient notifications
Notify recipients when messages are quarantined as malware

Action

Not selected

DeleteMessage

Not selected

DeleteMessage

Not selected

DeleteMessage

If malware is detected in an email attachment, the message is quarantined and can be released only by an admin.
Sender notifications
Notify internal senders when messages are quarantined as malware

EnableInternalSenderNotifications

Not selected

$false

Not selected

$false

Not selected

$false

Notify external senders when messages are quarantined as malware

EnableExternalSenderNotifications

Not selected

$false

Not selected

$false

Not selected

$false

Admin notifications
Notify an admin about undelivered messages from internal senders

EnableInternalSenderAdminNotifications

InternalSenderAdminAddress

Not selected

$false

Not selected

$false

Not selected

$false

We have no specific recommendation for this setting.
Notify an admin about undelivered messages from external senders

EnableExternalSenderAdminNotifications

ExternalSenderAdminAddress

Not selected

$false

Not selected

$false

Not selected

$false

We have no specific recommendation for this setting.
Customize notifications We have no specific recommendations for these settings.
Use customized notification text

CustomNotifications

Not selected

$false

Not selected

$false

Not selected

$false

From name

CustomFromName

Blank

$null

Blank

$null

Blank

$null

From address

CustomFromAddress

Blank

$null

Blank

$null

Blank

$null

Customize notifications for messages from internal senders These settings are used only if Notify internal senders when messages are quarantined as malware or Notify an admin about undelivered messages from internal senders is selected.
Subject

CustomInternalSubject

Blank

$null

Blank

$null

Blank

$null

Message

CustomInternalBody

Blank

$null

Blank

$null

Blank

$null

Customize notifications for messages from external senders These settings are used only if Notify external senders when messages are quarantined as malware or Notify an admin about undelivered messages from external senders is selected.
Subject

CustomExternalSubject

Blank

$null

Blank

$null

Blank

$null

Message

CustomExternalBody

Blank

$null

Blank

$null

Blank

$null

EOP anti-phishing policy settings

For more information about these settings, see Spoof settings. To configure these settings, see Configure anti-phishing policies in EOP.



Security feature name Default Standard Strict Comment
Phishing threshold & protection
Enable spoof intelligence

EnableSpoofIntelligence

Selected

$true

Selected

$true

Selected

$true

Actions
If message is detected as spoof

AuthenticationFailAction

Move message to the recipients' Junk Email folders

MoveToJmf

Move message to the recipients' Junk Email folders

MoveToJmf

Quarantine the message

Quarantine

This setting applies to spoofed senders that were automatically blocked as shown in the spoof intelligence insight or manually blocked in the Tenant Allow/Block List.

If you select Quarantine the message, an Apply quarantine policy box is available to select the quarantine policy that defines what users are allowed to do to messages that are quarantined as spoofing. When you create a new anti-phishing policy, a blank value means the default quarantine policy is used to define the historical capabilities for messages that were quarantined as spoofing (DefaultFullAccessPolicy).

Admins can create and select custom quarantine policies that define more restrictive or less restrictive capabilities for users. For more information, see Quarantine policies.

Show first contact safety tip

EnableFirstContactSafetyTips

Not selected

$false

Not selected

$false

Not selected

$false

For more information, see First contact safety tip.
Show (?) for unauthenticated senders for spoof

EnableUnauthenticatedSender

Selected

$true

Selected

$true

Selected

$true

Adds a question mark (?) to the sender's photo in Outlook for unidentified spoofed senders. For more information, see Unauthenticated sender.
Show "via" tag

EnableViaTag

Selected

$true

Selected

$true

Selected

$true

Adds a via tag (chris@contoso.com via fabrikam.com) to the From address if it's different from the domain in the DKIM signature or the MAIL FROM address.

For more information, see Unauthenticated sender.

Microsoft Defender for Office 365 security

Additional security benefits come with a Microsoft Defender for Office 365 subscription. For the latest news and information, you can see What's new in Defender for Office 365.

Important

If your subscription includes Microsoft Defender for Office 365 or if you've purchased Defender for Office 365 as an add-on, set the following Standard or Strict configurations.

Anti-phishing policy settings in Microsoft Defender for Office 365

EOP customers get basic anti-phishing as previously described, but Defender for Office 365 includes more features and control to help prevent, detect, and remediate against attacks. To create and configure these policies, see Configure anti-phishing policies in Defender for Office 365.

Advanced settings in anti-phishing policies in Microsoft Defender for Office 365

For more information about this setting, see Advanced phishing thresholds in anti-phishing policies in Microsoft Defender for Office 365. To configure this setting, see Configure anti-phishing policies in Defender for Office 365.



Security feature name Default Standard Strict Comment
Phishing email threshold

PhishThresholdLevel

1 - Standard

1

2 - Aggressive

2

3 - More aggressive

3

Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365

For more information about these settings, see Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365. To configure these settings, see Configure anti-phishing policies in Defender for Office 365.



Security feature name Default Standard Strict Comment
Phishing threshold & protection
Enable users to protect (impersonated user protection)

EnableTargetedUserProtection

TargetedUsersToProtect

Not selected

$false

none

Selected

$true

<list of users>

Selected

$true

<list of users>

We recommend adding users (message senders) in key roles. Internally, protected senders might be your CEO, CFO, and other senior leaders. Externally, protected senders could include council members or your board of directors.

In preset security policies, you can't specify the users to protect. You need to disable the preset security policies and use custom anti-phishing policies to add users in key roles as suggested.

Enable domains to protect (impersonated domain protection) Not selected Selected Selected
Include domains I own

EnableOrganizationDomainsProtection

Off

$false

Selected

$true

Selected

$true

Include custom domains

EnableTargetedDomainsProtection

TargetedDomainsToProtect

Off

$false

none

Selected

$true

<list of domains>

Selected

$true

<list of domains>

We recommend adding domains (sender domains) that you don't own, but you frequently interact with.

In preset security policies, you can't specify the custm domains to protect. You need to disable the preset security policies and use custom anti-phishing policies to add custom domains to protect as suggested.

Add trusted senders and domains

ExcludedSenders

ExcludedDomains

None None None Depending on your organization, we recommend adding senders or domains that are incorrectly identified as impersonation attempts.
Enable mailbox intelligence

EnableMailboxIntelligence

Selected

$true

Selected

$true

Selected

$true

Enable intelligence for impersonation protection

EnableMailboxIntelligenceProtection

Off

$false

Selected

$true

Selected

$true

This setting allows the specified action for impersonation detections by mailbox intelligence.
Actions Wherever you select Quarantine the message, a Select quarantine policy box is available. Quarantine policies define what users are allowed to do to quarantined messages.

When you create a new anti-phishing policy, a blank value means the default quarantine policy is used to define the historical capabilities for messages that were quarantined by that verdict (DefaultFullAccessPolicy for all impersonation detection types).

Admins can create and select custom quarantine policies that define less restrictive or more restrictive capabilities for users. For more information, see Quarantine policies.

If message is detected as an impersonated user

TargetedUserProtectionAction

Don't apply any action

NoAction

Quarantine the message

Quarantine

Quarantine the message

Quarantine

Remember, preset security policies don't allow you to specify the users to protect, so this setting effectively does nothing in preset security policies.
If message is detected as an impersonated domain

TargetedDomainProtectionAction

Don't apply any action

NoAction

Quarantine the message

Quarantine

Quarantine the message

Quarantine

Remember, preset security policies don't allow you to specify the custom domains to protect, so this setting affects only domains that you own, not custom domains.
If mailbox intelligence detects and impersonated user

MailboxIntelligenceProtectionAction

Don't apply any action

NoAction

Move message to the recipients' Junk Email folders

MoveToJmf

Quarantine the message

Quarantine

Show user impersonation safety tip

EnableSimilarUsersSafetyTips

Off

$false

Selected

$true

Selected

$true

Show domain impersonation safety tip

EnableSimilarDomainsSafetyTips

Off

$false

Selected

$true

Selected

$true

Show user impersonation unusual characters safety tip

EnableUnusualCharactersSafetyTips

Off

$false

Selected

$true

Selected

$true

EOP anti-phishing policy settings in Microsoft Defender for Office 365

These are the same settings that are available in anti-spam policy settings in EOP.

The spoof settings are inter-related, but the Show first contact safety tip setting has no dependency on spoof settings.



Security feature name Default Standard Strict Comment
Phishing threshold & protection
Enable spoof intelligence

EnableSpoofIntelligence

Selected

$true

Selected

$true

Selected

$true

Actions
If message is detected as spoof

AuthenticationFailAction

Move message to the recipients' Junk Email folders

MoveToJmf

Move message to the recipients' Junk Email folders

MoveToJmf

Quarantine the message

Quarantine

This setting applies to spoofed senders that were automatically blocked as shown in the spoof intelligence insight or manually blocked in the Tenant Allow/Block List.

If you select Quarantine the message, an Apply quarantine policy box is available to select the quarantine policy that defines what users are allowed to do to quarantined messages. When you create a new anti-phishing policy, a blank value means the default quarantine policy is used to define the historical capabilities for spoof quarantined messages (DefaultFullAccessPolicy).

Admins can create and select a custom quarantine policy that defines what recipients are allowed to do to these messages in quarantine. For more information, see Quarantine policies.

Show first contact safety tip

EnableFirstContactSafetyTips

Not selected

$false

Selected

$true

Selected

$true

For more information, see First contact safety tip.
Show (?) for unauthenticated senders for spoof

EnableUnauthenticatedSender

Selected

$true

Selected

$true

Selected

$true

Adds a question mark (?) to the sender's photo in Outlook for unidentified spoofed senders. For more information, see Unauthenticated sender.
Show "via" tag

EnableViaTag

Selected

$true

Selected

$true

Selected

$true

Adds a via tag (chris@contoso.com via fabrikam.com) to the From address if it's different from the domain in the DKIM signature or the MAIL FROM address.

For more information, see Unauthenticated sender.

Safe Attachments settings

Safe Attachments in Microsoft Defender for Office 365 includes global settings that have no relationship to Safe Attachments policies, and settings that are specific to each Safe Links policy. For more information, see Safe Attachments in Defender for Office 365.

Although there's no default Safe Attachments policy, the Built-in protection preset security policy provides Safe Attachments protection to all recipients (users who aren't defined in custom Safe Attachments policies). For more information, see Preset security policies in EOP and Microsoft Defender for Office 365.

Global settings for Safe Attachments

Note

The global settings for Safe Attachments are set by the Built-in protection preset security policy, but not by the Standard or Strict preset security policies. Either way, admins can modify these global Safe Attachments settings at any time.

The Default column shows the values before the existence of the Built-in protection preset security policy. The Built-in protection column shows the values that are set by the Built-in protection preset security policy, which are also our recommended values.

To configure these settings, see Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams and Safe Documents in Microsoft 365 E5.

In PowerShell, you use the Set-AtpPolicyForO365 cmdlet for these settings.



Security feature name Default Built-in protection Comment
Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams

EnableATPForSPOTeamsODB

Off

$false

On

$true

To prevent users from downloading malicious files, see Use SharePoint Online PowerShell to prevent users from downloading malicious files.
Turn on Safe Documents for Office clients

EnableSafeDocs

Off

$false

On

$true

This feature is available and meaningful only with licenses that are not included in Defender for Office 365 (for example, Microsoft 365 E5 or Microsoft 365 E5 Security). For more information, see Safe Documents in Microsoft 365 E5.
Allow people to click through Protected View even if Safe Documents identified the file as malicious

AllowSafeDocsOpen

Off

$false

Off

$false

This setting is related to Safe Documents.

Safe Attachments policy settings

To configure these settings, see Set up Safe Attachments policies in Defender for Office 365.

In PowerShell, you use the New-SafeAttachmentPolicy and Set-SafeAttachmentPolicy cmdlets for these settings.

Note

As described earlier, there is no default Safe Attachments policy, but Safe Attachments protection is assigned to all recipients by the Built-in protection preset security policy.

The Default in custom column refers to the default values in new Safe Attachments policies that you create. The remaining columns indicate (unless otherwise noted) the values that are configured in the corresponding preset security policies.



Security feature name Default in custom Built-in protection Standard Strict Comment
Safe Attachments unknown malware response

Enable and Action

Off

-Enable $false and -Action Block

Block

-Enable $true and -Action Block

Block

-Enable $true and -Action Block

Block

-Enable $true and -Action Block

When the Enable parameter is $false, the value of the Action parameter doesn't matter.
Quarantine policy (QuarantineTag) AdminOnlyAccessPolicy AdminOnlyAccessPolicy AdminOnlyAccessPolicy AdminOnlyAccessPolicy When you create a new Safe Attachments policy, a blank value means the default quarantine policy is used to define the historical capabilities for messages that were quarantined by Safe Attachments (AdminOnlyAccessPolicy).

Admins can create and select custom quarantine policies that define more capabilities for users. For more information, see Quarantine policies.

Redirect attachment with detected attachments : Enable redirect

Redirect

RedirectAddress

Not selected and no email address specified.

-Redirect $false

RedirectAddress is blank ($null)

Not selected and no email address specified.

-Redirect $false

RedirectAddress is blank ($null)

Selected and specify an email address.

$true

an email address

Selected and specify an email address.

$true

an email address

Redirect messages to a security admin for review.

Note: This setting is not configured in the Standard, Strict, or Built-in protection preset security policies. The Standard and Strict values indicate our recommended values in new Safe Attachments policies that you create.

Apply the Safe Attachments detection response if scanning can't complete (timeout or errors)

ActionOnError

Selected

$true

Selected

$true

Selected

$true

Selected

$true

Safe Links in Defender for Office 365 includes global settings that apply to all users who are included in active Safe Links policies, and settings that are specific to each Safe Links policy. For more information, see Safe Links in Defender for Office 365.

Although there's no default Safe Links policy, the Built-in protection preset security policy provides Safe Links protection to all recipients (users who aren't defined in custom Safe Links policies). For more information, see Preset security policies in EOP and Microsoft Defender for Office 365.

Note

The global settings for Safe Links are set by the Built-in protection preset security policy, but not by the Standard or Strict preset security policies. Either way, admins can modify these global Safe Links settings at any time.

The Default column shows the values before the existence of the Built-in protection preset security policy. The Built-in protection column shows the values that are set by the Built-in protection preset security policy, which are also our recommended values.

To configure these settings, see Configure global settings for Safe Links in Defender for Office 365.

In PowerShell, you use the Set-AtpPolicyForO365 cmdlet for these settings.



Security feature name Default Built-in protection Comment
Block the following URLs

ExcludedUrls

Blank

$null

Blank

$null

We have no specific recommendation for this setting.

For more information, see "Block the following URLs" list for Safe Links.

Use Safe Links in Office 365 apps

EnableSafeLinksForO365Clients

On

$true

On

$true

Use Safe Links in supported Office 365 desktop and mobile (iOS and Android) apps. For more information, see Safe Links settings for Office 365 apps.
Do not track when users click protected links in Office 365 apps

TrackClicks

On

$false

Off

$true

Turning off this setting (setting TrackClicks to $true) tracks user clicks in supported Office 365 apps.
Do not let users click through to the original URL in Office 365 apps

AllowClickThrough

On

$false

On

$false

Turning on this setting (setting AllowClickThrough to $false) prevents click through to the original URL in supported Office 365 apps.

To configure these settings, see Set up Safe Links policies in Microsoft Defender for Office 365.

In PowerShell, you use the New-SafeLinksPolicy and Set-SafeLinksPolicy cmdlets for these settings.

Note

As described earlier, there's no default Safe Links policy, but Safe Links protection is assigned to all recipients by the Built-in protection preset security policy.

The Default in custom column refers to the default values in new Safe Links policies that you create. The remaining columns indicate (unless otherwise noted) the values that are configured in the corresponding preset security policies.



Security feature name Default in custom Built-in protection Standard Strict Comment
Protection settings
Select the action for unknown potentially malicious URLs in messages

IsEnabled

Off

$false

On

$true

On

$true

On

$true

Select the action for unknown or potentially malicious URLs within Microsoft Teams

EnableSafeLinksForTeams

Off

$false

On

$true

On

$true

On

$true

Apply real-time URL scanning for suspicious links and links that point to files

ScanUrls

Not selected

$false

Selected

$true

Selected

$true

Selected

$true

Wait for URL scanning to complete before delivering the message

DeliverMessageAfterScan

Not selected

$false

Selected

$true

Selected

$true

Selected

$true

Apply Safe Links to email messages sent within the organization

EnableForInternalSenders

Not selected

$false

Selected

$true

Selected

$true

Selected

$true

Do not track user clicks

DoNotTrackUserClicks

Not selected

$false

Not selected

$false

Not selected

$false

Not selected

$false

Turning off this setting (setting DoNotTrackUserClicks to $false) tracks users clicks.
Do not let users click through to the original URL

DoNotAllowClickThrough

Not selected

$false

Not selected

$false

Selected

$true

Selected

$true

Turning on this setting (setting DoNotAllowClickThrough to $true) prevents click through to the original URL.
Display the organization branding on notification and warning pages

EnableOrganizationBranding

Not selected

$false

Not selected

$false

Not selected

$false

Not selected

$false

We have no specific recommendation for this setting.

Before you turn on this setting, you need to follow the instructions in Customize the Microsoft 365 theme for your organization to upload your company logo.

Do not rewrite URLs, do checks via Safe Links API only

DisableURLRewrite

Not selected

$false

Selected

$true

Not selected

$false

Not selected

$false

Do not rewrite the following URLs

DoNotRewriteUrls

Not selected

blank

Not selected

blank

Not selected

blank

Not selected

blank

We have no specific recommendation for this setting. For more information, see "Do not rewrite the following URLs" lists in Safe Links policies.
Notification
How would you like to notify your users? Use the default notification text Use the default notification text Use the default notification text Use the default notification text We have no specific recommendation for this setting.

You can select Use custom notification text (CustomNotificationText) to enter customized notification text to use. You can also select Use Microsoft Translator for automatic localization (UseTranslatedNotificationText) to translate the custom notification text into the user's language.