Safe Documents in Microsoft 365 A5 or E5 Security
Tip
Did you know you can try the features in Microsoft Defender XDR for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms on Try Microsoft Defender for Office 365.
Safe Documents is a premium feature that uses the cloud back end of Microsoft Defender for Endpoint to scan opened Office documents in Protected View or Application Guard for Office.
Users don't need Defender for Endpoint installed on their local devices to get Safe Documents protection. Users get Safe Documents protection if all of the following requirements are met:
Safe Documents is enabled in the organization as described in this article.
Licenses from a required licensing plan are assigned to the users. Safe Documents is controlled by the Office 365 SafeDocs (or SAFEDOCS or bf6f5520-59e3-4f82-974b-7dbbc4fd27c7) service plan (also known as a service). This service plan is available in the following licensing plans (also known as license plans, Microsoft 365 plans, or products):
- Microsoft 365 A5 for Faculty
- Microsoft 365 A5 for Students
- Microsoft 365 E5 Security
Safe Documents isn't included in Microsoft Defender for Office 365 licensing plans.
For more information, see Product names and service plan identifiers for licensing.
They're using Microsoft 365 Apps for enterprise (formerly known as Office 365 ProPlus) version 2004 or later.
What do you need to know before you begin?
You open the Microsoft Defender portal at https://security.microsoft.com. To go directly to the Safe Attachments page, use https://security.microsoft.com/safeattachmentv2.
To connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell.
You need to be assigned permissions before you can do the procedures in this article. You have the following options:
Microsoft Defender XDR Unified role based access control (RBAC) (If Email & collaboration > Defender for Office 365 permissions is Active. Affects the Defender portal only, not PowerShell): Authorization and settings/Security settings/Core Security settings (manage) or Authorization and settings/Security settings/Core Security settings (read).
-
- Configure Safe Documents settings: Membership in the Organization Management or Security Administrator role groups.
- Read-only access to Safe Documents settings: Membership in the Global Reader, Security Reader, or View-Only Organization Management role groups.
Microsoft Entra permissions: Membership in the Global Administrator*, Security Administrator, Global Reader, or Security Reader roles gives users the required permissions and permissions for other features in Microsoft 365.
Important
* Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
How does Microsoft handle your data?
To keep you protected, Safe Documents sends file information to the Microsoft Defender for Endpoint cloud for analysis. Details on how Microsoft Defender for Endpoint handles your data can be found here: Microsoft Defender for Endpoint data storage and privacy.
File information sent by Safe Documents isn't retained in Defender for Endpoint beyond the time needed for analysis (typically, less than 24 hours).
Use the Microsoft Defender portal to configure Safe Documents
In the Microsoft Defender portal, go to the Safe Attachments page at https://security.microsoft.com, go to Email & Collaboration > Policies & Rules > Threat policies > Safe Attachments in the Policies section. Or, to go directly to the Safe Attachments page, use https://security.microsoft.com/safeattachmentv2.
On the Safe Attachments page, select Global settings.
In the Global settings flyout that opens, confirm or configure the following settings:
- Turn on Safe Documents for Office clients: Move the toggle to the right to turn on the feature: .
- Allow people to click through Protected View even if Safe Documents identified the file as malicious: We recommend that you leave this option turned off .
When you're finished in the Global settings flyout, select Save.
Use Exchange Online PowerShell to configure Safe Documents
If you'd rather user PowerShell to configure Safe Documents, use the following syntax in Exchange Online PowerShell:
Set-AtpPolicyForO365 -EnableSafeDocs <$true | $false> -AllowSafeDocsOpen <$true | $false>
- The EnableSafeDocs parameter enables or disables Safe Documents for the entire organization.
- The AllowSafeDocsOpen parameter allows or prevents users from leaving Protected View (that is, opening the document) if the document has been identified as malicious.
This example enables Safe Documents for the entire organization, and prevents users from opening documents that have been identified as malicious from Protected View.
Set-AtpPolicyForO365 -EnableSafeDocs $true -AllowSafeDocsOpen $false
For detailed syntax and parameter information, see Set-AtpPolicyForO365.
Configure individual access to Safe Documents
If you want to selectively allow or block access to the Safe Documents feature, follow these steps:
- Turn on Safe Documents in the Microsoft Defender portal or Exchange Online PowerShell as previously described in this article.
- Use Microsoft Graph PowerShell to disable Safe Documents for specific users as described in Disable specific Microsoft 365 services for specific users for a specific licensing plan.
The name of the service plan to disable in PowerShell is SAFEDOCS.
For more information, see the following articles:
- View Microsoft 365 licenses and services with PowerShell
- View Microsoft 365 account license and service details with PowerShell
- Product names and service plan identifiers for licensing
Onboard to the Microsoft Defender for Endpoint service to enable auditing capabilities
To enable auditing capabilities, the local device needs to have Microsoft Defender for Endpoint installed. To deploy Microsoft Defender for Endpoint, you need to go through the various phases of deployment. After onboarding, you can configure auditing capabilities in the Microsoft Defender portal.
To learn more, see Onboard to the Microsoft Defender for Endpoint service. If you need help, see Troubleshoot Microsoft Defender for Endpoint onboarding issues.
How do I know this procedure worked?
To verify that you've enabled and configured Safe Documents, do any of the following steps:
In the Microsoft Defender portal, go to the Safe Attachments page at https://security.microsoft.com/safeattachmentv2, select Global settings, and verify the Turn on Safe Documents for Office clients and Allow people to click through Protected View even if Safe Documents identifies the file as malicious settings.
Run the following command in Exchange Online PowerShell and verify the property values:
Get-AtpPolicyForO365 | Format-List *SafeDocs*
The following files are available to test Safe Documents protection. These files are similar to the EICAR.TXT file for testing anti-malware and anti-virus solutions. The files aren't harmful, but they trigger Safe Documents protection.