Safe Documents in Microsoft 365 A5 or E5 Security
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub. Learn about who can sign up and trial terms here.
Users don't need Defender for Endpoint installed on their local devices to get Safe Documents protection. Users get Safe Documents protection if all of the following requirements are met:
Safe Documents is enabled in the organization as described in this article.
Licenses from a required licensing plan are assigned to the users. Safe Documents is controlled by the Office 365 SafeDocs (or SAFEDOCS or bf6f5520-59e3-4f82-974b-7dbbc4fd27c7) service plan (also known as a service). This service plan is available in the following licensing plans (also known as license plans, Microsoft 365 plans, or products):
- Microsoft 365 A5 for Faculty
- Microsoft 365 A5 for Students
- Microsoft 365 E5 Security
Safe Documents is not included in Microsoft Defender for Office 365 licensing plans.
For more information, see Product names and service plan identifiers for licensing.
They're using Microsoft 365 Apps for enterprise (formerly known as Office 365 ProPlus) version 2004 or later.
What do you need to know before you begin?
To connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell.
You need permissions in Exchange Online before you can do the procedures in this article:
- To configure Safe Documents settings, you need to be a member of the Organization Management or Security Administrator role groups.
- For read-only access to Safe Documents settings, you need to be a member of the Global Reader or Security Reader role groups.
For more information, see Permissions in Exchange Online.
Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions and permissions for other features in Microsoft 365. For more information, see About admin roles.
The View-Only Organization Management role group in Exchange Online also gives read-only access to the feature.
How does Microsoft handle your data?
To keep you protected, Safe Documents sends files to the Microsoft Defender for Endpoint cloud for analysis. Details on how Microsoft Defender for Endpoint handles your data can be found here: Microsoft Defender for Endpoint data storage and privacy.
Files sent by Safe Documents are not retained in Defender for Endpoint beyond the time needed for analysis (typically, less than 24 hours).
Use the Microsoft 365 Defender portal to configure Safe Documents
In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Email & Collaboration > Policies & Rules > Threat policies > Safe Attachments in the Policies section. To go directly to the Safe Attachments page, use https://security.microsoft.com/safeattachmentv2.
On the Safe Attachments page, click Global settings.
In the Global settings fly out that appears, configure the following settings:
- Turn on Safe Documents for Office clients: Move the toggle to the right to turn on the feature: .
- Allow people to click through Protected View even if Safe Documents identified the file as malicious: We recommend that you leave this option turned off (leave the toggle to the left: ).
When you're finished, click Save.
Use Exchange Online PowerShell to configure Safe Documents
If you'd rather user PowerShell to configure Safe Documents, use the following syntax in Exchange Online PowerShell:
Set-AtpPolicyForO365 -EnableSafeDocs <$true | $false> -AllowSafeDocsOpen <$true | $false>
- The EnableSafeDocs parameter enables or disables Safe Documents for the entire organization.
- The AllowSafeDocsOpen parameter allows or prevents users from leaving Protected View (that is, opening the document) if the document has been identified as malicious.
This example enables Safe Documents for the entire organization, and prevents users from opening documents that have been identified as malicious from Protected View.
Set-AtpPolicyForO365 -EnableSafeDocs $true -AllowSafeDocsOpen $false
For detailed syntax and parameter information, see Set-AtpPolicyForO365.
Configure individual access to Safe Documents
If you want to selectively allow or block access to the Safe Documents feature, follow these steps:
- Turn on Safe Documents in the Microsoft 365 Defender portal or Exchange Online PowerShell as previously described in this article.
- Use Azure AD PowerShell to disable Safe Documents for specific users as described in Disable specific Microsoft 365 services for specific users for a specific licensing plan.
The name of the service plan to disable in PowerShell is SAFEDOCS.
For more information, see the following topics:
- View Microsoft 365 licenses and services with PowerShell
- View Microsoft 365 account license and service details with PowerShell
- Product names and service plan identifiers for licensing
Onboard to the Microsoft Defender for Endpoint service to enable auditing capabilities
To enable auditing capabilities, the local device needs to have Microsoft Defender for Endpoint installed. To deploy Microsoft Defender for Endpoint, you need to go through the various phases of deployment. After onboarding, you can configure auditing capabilities in the Microsoft 365 Defender portal.
To learn more, see Onboard to the Microsoft Defender for Endpoint service. If you need additional help, refer to Troubleshoot Microsoft Defender for Endpoint onboarding issues.
How do I know this worked?
To verify that you've enabled and configured Safe Documents, do any of the following steps:
In the Microsoft 365 Defender portal, go to Email & Collaboration > Policies & Rules > Threat policies > Safe Attachments in the Policies section > Global settings, and verify the Turn on Safe Documents for Office clients and Allow people to click through Protected View even if Safe Documents identifies the file as malicious settings.
Run the following command in Exchange Online PowerShell and verify the property values:
Get-AtpPolicyForO365 | Format-List *SafeDocs*
The following files are available to test Safe Documents protection. These files are similar to the EICAR.TXT file for testing anti-malware and anti-virus solutions. The files are not harmful, but they will trigger Safe Documents protection.