View Defender for Office 365 reports in the Microsoft 365 Defender portal
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub. Learn about who can sign up and trial terms here.
Applies to
Microsoft Defender for Office 365 organizations (for example, Microsoft 365 E5 subscriptions or Microsoft Defender for Office 365 Plan 1 or Microsoft Defender for Office 365 Plan 2 add-ons) contain a variety of security-related reports. If you have the necessary permissions, you can view and download these reports in the Microsoft 365 Defender portal.
View and download reports
View reports
In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Reports > Email & collaboration > Email & collaboration reports. To go directly to the Email & collaboration reports page, use https://security.microsoft.com/emailandcollabreport.
Choose the report you want to view, and then select View details.
Download reports
In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Reports > Email & collaboration > Reports for download. To go directly to the Reports for download page, use https://security.microsoft.com/ReportsForDownload?viewid=custom.
Note
Email security reports that don't require Defender for Office 365 are described in View email security reports in the Microsoft 365 Defender portal.
Reports that are related to mail flow are now in the Exchange admin center (EAC). For more information about these reports, see Mail flow reports in the new Exchange admin center.
Safe Attachments file types report
Note
This report has been deprecated. The same information is available in the Threat protection status report.
Safe Attachments message disposition report
Note
This report has been deprecated. The same information is available in the Threat protection status report.
Mail latency report
The Mail latency report shows you an aggregate view of the mail delivery and detonation latency experienced within your organization. Mail delivery times in the service are affected by a number of factors, and the absolute delivery time in seconds is often not a good indicator of success or a problem. A slow delivery time on one day might be considered an average delivery time on another day, or vice-versa. This tries to qualify message delivery based on statistical data about the observed delivery times of other messages.
Client side and network latency are not included.
To view the report, open the Microsoft 365 Defender portal at https://security.microsoft.com, go to Reports > Email & collaboration > Email & collaboration reports. To go directly to the Email & collaboration reports page, use https://security.microsoft.com/emailandcollabreport.
On the Email & collaboration reports page, find Mail latency report and then click View details. To go directly to the report, use https://security.microsoft.com/mailLatencyReport.
On the Mail latency report page, the following tabs are available on the Mail latency report page:
- 50th percentile: This is the middle for message delivery times. You can consider this value as an average delivery time. This tab is selected by default.
- 90th percentile: This indicates a high latency for message delivery. Only 10% of messages took longer than this value to deliver.
- 99th percentile: This indicates the highest latency for message delivery.
Regardless of the tab you select, the chart shows messages organized into the following categories:
- Overall
- Detonation
When you hover over a category in the chart, you can see a breakdown of the latency in each category.
If you click Filter, you can filter both the chart and the details table by the following values:
- Date (UTC): Start date and End date
- Message view: One of the following values:
- All messages
- Detonated messages: One of the following values:
- Inline detonation: Includes messages that are fully tested before delivery.
- Asynchronous detonation
When you're finished configuring the filters, click Apply, Cancel, or 
Clear filters.
In the details table below the chart, the following information is available:
- Date (UTC)
- Latency
- Message count
- 50th percentile
- 90th percentile
- 99th percentile
On the main report page, the 
Export button is available.
Threat protection status report
The Threat protection status report is a single view that brings together information about malicious content and malicious email detected and blocked by Exchange Online Protection (EOP) and Microsoft Defender for Office 365. For more information, see Threat protection status report.
Top senders and recipients report
The Top senders and recipients report show the top recipients for EOP and Defender for Office 365 protection features. For more information, see Top senders and recipients report.
URL protection report
The URL protection report provides summary and trend views for threats detected and actions taken on URL clicks as part of Safe Links. This report will not have click data from users where the Safe Links policy was applied when the Track user clicks option is not selected.
To view the report, open the Microsoft 365 Defender portal, go to Reports > Email & collaboration > Email & collaboration reports. On the Email & collaboration reports page, find URL protection page and then click View details. To go directly to the report, open https://security.microsoft.com/reports/URLProtectionActionReport.
The available views on the URL protection report page are described in the following sections.
View data by URL click protection action
The View data by URL click protection action view shows the number of URL clicks by users in the organization and the results of the click:
- Allowed: Clicks allowed.
- Allowed by tenant admin: Clicks allowed in Safe Links policies.
- Blocked: Click blocked.
- Blocked by tenant admin: The Clicks blocked in Safe Links policies.
- Blocked and clicked through: Blocked clicks where users click through to the blocked URL.
- Blocked by tenant admin and clicked through: Admin has blocked the link, but the user clicked through.
- Clicked through during scan: Clicks where users click through the pending scan page to the URL.
- Pending scan: Clicks on URLs that are pending a scan verdict.
A click indicates that the user has clicked through the block page to the malicious website (admins can disable click through in Safe Links policies).
If you click Filters, you can modify the report and the details table by selecting one or more of the following values in the flyout that appears:
- Date (UTC): Start date and End date
- Action:
- Allowed
- Blocked
- Allowed by tenant admin
- Blocked and clicked through
- Blocked by tenant admin and clicked through
- Clicked through during scan
- Pending scan
- Domains: The URL domains listed in the report results.
- Recipients
When you're finished configuring the filters, click Apply, Cancel, or Clear filters.
The details table below the chart provides the following near-real-time view of all clicks that happened within the organization for the last 30 days:
- Click time
- User
- URL
- Action
- App
On the main report page, the 
Create schedule, Request report, and Export buttons are available.
View data by URL click by application
The View data by URL click by application view shows the number of URL clicks by apps that support Safe Links:
- Email client
- Office document
- Teams
If you click Filters, you can modify the report and the details table by selecting one or more of the following values in the flyout that appears:
- Date (UTC): Start date and End date
- Detection: Available apps from the chart.
- Domains: The URL domains listed in the report results.
- Recipients
When you're finished configuring the filters, click Apply, Cancel, or Clear filters.
The details table below the chart provides the following near-real-time view of all clicks that happened within the organization for the last 7 days:
- Click time
- User
- URL
- Action
- App
On the main report page, the Create schedule, Request report, and Export buttons are available.
Additional reports to view
In addition to the reports described in this article, several other reports are available, as described in the following table:
| Report | Topic |
|---|---|
| Explorer (Microsoft Defender for Office 365 Plan 2) or real-time detections (Microsoft Defender for Office 365 Plan 1) | Threat Explorer (and real-time detections) |
| Email security reports that don't require Defender for Office 365 | View email security reports in the Microsoft 365 Defender portal |
| Mail flow reports in the Exchange admin center (EAC) | Mail flow reports in the new Exchange admin center |
PowerShell reporting cmdlets:
| Report | Topic |
|---|---|
| Top senders and recipients | Get-MailTrafficSummaryReport |
| Top malware | Get-MailTrafficSummaryReport |
| Mail traffic | Get-MailTrafficATPReport |
| Safe Links | Get-SafeLinksAggregateReport |
| Compromised users | Get-CompromisedUserAggregateReport |
| Mail flow status | Get-MailflowStatusReport |
| Spoofed users | Get-SpoofMailReport |
What permissions are needed to view the Defender for Office 365 reports?
- You need to be assigned permissions before you can view and use the reports that are described in this article. You have the following options:
- Microsoft 365 Defender role based access control (RBAC): Currently, this option requires membership in the Microsoft 365 Defender Preview program.
- Email & collaboration RBAC in the Microsoft 365 Defender portal: Membership in any of the following role groups:
- Organization Management
- Security Administrator
- Security Reader
- Global Reader
- Azure AD RBAC: Membership in the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions and permissions for other features in Microsoft 365.
What if the reports aren't showing data?
If you are not seeing data in your Defender for Office 365 reports, double-check that your policies are set up correctly. Your organization must have Safe Links policies and Safe Attachments policies defined in order for Defender for Office 365 protection to be in place. Also see anti-spam and anti-malware protection.
Feedback
Submit and view feedback for