User tags in Microsoft Defender for Office 365
Tip
Did you know you can try the features in Microsoft Defender XDR for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms on Try Microsoft Defender for Office 365.
User tags are identifiers for specific groups of users in Microsoft Defender for Office 365. There are two types of user tags:
- System tags: Currently, Priority account is the only type of system tag.
- Custom tags: You create these types of tags.
If your organization has Defender for Office 365 Plan 2 (included in your subscription or as an add-on), you can create custom user tags in addition to using the Priority account tag.
Note
Currently, you can only apply user tags to mailbox users.
Your organization can tag a maximum of 250 users using the Priority account system tag.
Each custom tag has a maximum of 999 users per tag and your organization can create up to 500 custom tags.
This article explains how to configure user tags in the Microsoft Defender portal. You can also apply or remove the Priority account tag using the VIP parameter on the Set-User cmdlet in Exchange Online PowerShell. No PowerShell cmdlets are available to manage custom user tags.
To see how user tags are part of the strategy to help protect high-impact user accounts, see Security recommendations for priority accounts in Microsoft 365.
What do you need to know before you begin?
You open the Microsoft Defender portal at https://security.microsoft.com. To go directly to the User tags page, use https://security.microsoft.com/securitysettings/userTags.
You need to be assigned permissions before you can do the procedures in this article. You have the following options:
Microsoft Defender XDR Unified role based access control (RBAC) (If Email & collaboration > Defender for Office 365 permissions is Active. Affects the Defender portal only, not PowerShell): Authorization and settings/System settings/manage or Authorization and settings/System settings/Read-only.
Email & collaboration permissions in the Microsoft Defender portal:
- Create, modify, and delete custom user tags: Membership in the Organization Management or Security Administrator role groups.
- Apply and remove the Priority account tag from users: Membership in the Security Administrator and Exchange Admin role groups.
- Apply and remove existing custom user tags from users: Membership in the Organization Management or Security Administrator role groups.
Tip
User tag management is controlled by the Tag Reader and Tag Manager roles in Email & collaboration permissions.
Microsoft Entra permissions: Membership in the Global Administrator* and Security Administrator roles gives users the required permissions and permissions for other features in Microsoft 365.
Important
* Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
You can also manage and monitor the Priority account tag in the Microsoft 365 admin center. For instructions, see Manage and monitor priority accounts.
For information about securing privileged accounts (admin accounts), see this article.
Use the Microsoft Defender portal to create user tags
In the Microsoft Defender portal at https://security.microsoft.com, go to Settings > Email & collaboration > User tags. Or, to go directly to the User tags page, use https://security.microsoft.com/securitysettings/userTags.
On the User tags page, select Create to start the new tag wizard.
On the Define tag page, configure the following settings:
- Name: Enter a unique, descriptive name for the tag. You can't rename a tag after you create it.
- Description: Enter an optional description for the tag.
When you're finished on the User tags page, select Next.
On the Assign members page, do either of the following steps:
Select Add members. In the Add members flyout that opens, do any of the following steps to add individual users or groups in the Search users and groups to add box:
- Click in the box and scroll through the list to select a user or group.
- Click in the box, start typing a name to filter the list, and then select the value below the box. select a user or group.
To add more members, click in an empty area in the box and repeat the previous step.
To remove individual entries from the box, select next to the entry.
When you're finished on the Add members flyout, select Add.
Back on the Assign members page, the users and groups that you added are listed by Name and Type. To remove entries from the list, select Delete next to the entry.
Select Import to select a text file that contains the email addresses of the users or groups (one entry per line).
When you're finished on the Assign members page, select Next.
On the Review tag page, review your settings. You can select Edit in each section to modify the settings within the section. Or you can select Back or the specific page in the wizard.
When you're finished on the Review tag page, select Submit.
On the New tag created page, you can select the links to add a new tag or manage the tag members.
When you're finished on the New tag created page, select Done.
Note
It can take up to 8 hours to completely apply tags.
If you assign a group to a user tag, members of the group at the time of tag creation are assigned tag. Users later added to the group aren't automatically assigned the user tag.
Use the Microsoft Defender portal to view user tags
In the Microsoft Defender portal at https://security.microsoft.com, go to Settings > Email & collaboration > User tags. Or, to go directly to the User tags page, use https://security.microsoft.com/securitysettings/userTags.
On the User tags page, you can sort the entries by clicking on an available column header. The following columns are available:
- Tag: The name of the user tag.
- Applied to: The number of members
- Last modified
- Created on
Use Filter to filter the user tags by Last modified date.
Use the Search box and a corresponding value to find specific user tag.
Select a user tag by clicking anywhere in the row other than the check box next to the name to open the details flyout for the user tag.
The details flyout of the user tag contains the following information, based on the type of tag:
- System tags: The details flyout for the Priority account tag contains the following information:
- Last updated
- Description
- A link to https://security.microsoft.com/securitysettings/priorityAccountProtection to turn on or turn off priority account protection
- Applied to
- Custom tags: The details flyout for a custom tag contains the same information as the User tags page, plus the list of users and groups that the tag applies to.
Use the Microsoft Defender portal to modify user tags
After you select the user tag, use either of the following methods to modify it:
- On the User tags page: Select the Edit action that appears.
- In the details flyout of the selected user tag: Select the Edit action at the top of the flyout.
The same wizard and most of the same settings are available as described in the Use the Microsoft Defender portal to create user tags section earlier in this article, with the following exceptions:
- You can't rename or change the description of the Priority account tag, so the Define tag page isn't available for the Priority account tag.
- The Define tag page is available for custom tags, but you can't rename the tag; you can only change the description.
Use the Microsoft Defender portal to remove user tags
You can't remove the built-in Priority account tag.
After you select the custom tag, use either of the following methods to remove it:
- On the User tags page: Select the Delete action that appears.
- In the details flyout of the selected user tag: Select the Delete action at the top of the flyout.
Read the warning in the confirmation dialog that opens, and then select Yes, remove.
Back on the User tags page, the custom tag is no longer listed.
User tags in reports and features
After you apply system tags or custom tags to users, you can use those tags as filters in the following features in Defender for Office 365:
- Alerts
- Incidents
- Threat Explorer
- Email entity page
- Quarantine Currently, tag selection on the Quarantine filter page supports the Priority tag only.
- Admin submissions and user reported messages
- Email security reports
- Campaigns
- Custom alert policies
- Attack simulation training
- In organizations above a certain size, the Email issues for priority accounts report is available in the Exchange admin center (EAC).
For information about where the effects of priority account protection are visible, see Review differentiated protection from priority account protection.