In all Microsoft 365 organizations, a variety of reports are available to help you see how email security features are protecting your organization. If you have the necessary permissions, you can view and download these reports as described in this article.
Email security report changes in the Microsoft Defender portal
The Exchange Online Protection (EOP) and Microsoft Defender for Office 365 reports in the Microsoft Defender portal that have been replaced, moved, or deprecated are described in the following table.
Note: There's no replacement for the encryption reporting capabilities in Get-MailTrafficTopReport.
MC315742
April 2022
Compromised users report
The Compromised users report shows the number of user accounts that were marked as Suspicious or Restricted within the last 7 days. Accounts in either of these states are problematic or even compromised. With frequent use, you can use the report to spot spikes, and even trends, in suspicious or restricted accounts. For more information about compromised users, see Responding to a compromised email account.
The aggregate view shows data for the last 90 days and the detail view shows data for the last 30 days.
On the Compromised users page, the chart shows the following information for the specified date range:
Restricted: The user account has been restricted from sending email due to highly suspicious patterns.
Suspicious: The user account has sent suspicious email and is at risk of being restricted from sending email.
The details table below the graph shows the following information:
Creation time
User ID
Action
Tags: For more information about user tags, see User tags.
Select
Filter to modify the report and the details table by selecting one or more of the following values in the flyout that opens:
Date (UTC): Start date and End date.
Activity: Restricted or Suspicious
Tag: Leave the value All or remove it, double-click in the empty box, and then select Priority account. For more information about user tags, see User tags.
When you're finished configuring the filters, select Apply, Cancel, or
Clear filters.
The Mailflow status report is a smart report that shows information about incoming and outgoing email, spam detections, malware, email identified as "good", and information about email allowed or blocked on the edge. This is the only report that contains edge protection information. The report shows how much email is blocked before entering the service for examination by Exchange Online Protection (EOP) or Defender for Microsoft 365.
Tip
If a message is sent to five recipients, we count it as five different messages, not one message.
On the Direction tab, the chart shows the following information for the specified date range:
Inbound
Intra-org
Outbound
Select
Filter to modify the report and the details table by selecting one or more of the following values in the flyout that opens:
Date (UTC): Start date and End date.
Note
To see data for a specific date, use the day after. For example, to see January 10 data, use January 11 in the filter. Today's data is available for filtering tomorrow.
Mail direction: Select Inbound, Outbound, and Intra-org.
On the Direction tab, the
Create schedule and
Export actions are available.
Mailflow view for the Mailflow status report
The Mailflow tab shows you how Microsoft's email threat protection features filter incoming and outgoing email in your organization. This view uses a horizontal flow diagram (known as a Sankey diagram) to provide details on the total email count, and how threat protection features affect this count.
The aggregate view and details table view allow for 90 days of filtering.
The information in the diagram is color-coded by EOP and Defender for Office 365 technologies.
The diagram is organized into the following horizontal bands:
Total email band: This value is always shown first.
Edge block and Processed band:
Edge block: Messages that were filtered at the edge and identified as Edge Protection.
Processed: Messages that were handled by the filtering stack.
Outcomes band:
Data loss prevention block
Rule Block: Messages that were quarantined by Exchange mail flow rules (transport rules).
Malware block: Messages that were identified as malware.*
Phishing block: Messages that were identified as phishing.*
Spam block: Messages that were identified as spam.*
Impersonation block: Messages that were detected as user impersonation or domain impersonation in Defender for Office 365.*
Detonation block: Messages that were detected during file or URL detonation by Safe Attachments policies or Safe Links policies in Defender for Office 365.*
ZAP removed: Messages that were removed by zero-hour auto purge (ZAP).*
Delivered: Messages that were delivered to users due to an allow.*
If you hover over a horizontal band in the diagram, you see the number of related messages.
* If you select this element, the diagram expands to show further details. For a description of each element in the expanded nodes, see Detection technologies.
The details table below the diagram shows the following information:
The Mail latency report in Defender for Office 365 contains information on the mail delivery and detonation latency experienced within your organization. For more information, see Mail latency report.
Post-delivery activities report
The Post-delivery activities report is available only in organizations with Microsoft Defender for Office 365 Plan 2. For information about the report, see Post-delivery activities report.
The Spoof detections report shows information about messages that were blocked or allowed due to spoofing. For more information about spoofing, see Anti-spoofing protection in EOP.
The aggregate and detail views of the report allows for 90 days of filtering.
Note
The latest available data in the report is 3 to 4 days old.
When you're finished configuring the filters, select Apply, Cancel, or
Clear filters.
On the Submissions page, the Export action is available.
Threat protection status report
The Threat protection status report is available in both EOP and Defender for Office 365. However, the reports contain different data. For example, EOP customers can view information about malware detected in email, but not information about malicious files detected by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.
The report provides the count of email messages with malicious content. For example:
Files or website addresses (URLs) that were blocked by the anti-malware engine.
You can use the information in this report to identify trends or determine whether your organizational policies need adjustment.
Tip
if a message is sent to five recipients, we count it as five different messages, not one message.
On the Email & collaboration reports page at https://security.microsoft.com/emailandcollabreport, find Submissions, and then select View details. Or, to go directly to the report, use one of the following URLS:
By default, the chart shows data for the past seven days. Select
Filter on the Threat protection status report page to select a 90 day date range (trial subscriptions might be limited to 30 days). The details table allows filtering for 30 days.
The available views are described in the following subsections.
View data by Overview
In the View data by Overview view, the following detection information is shown in the chart:
Select
Filter to modify the report by selecting one or more of the following values in the flyout that opens:
Date (UTC)Start date and End date.
Detection: The same values as in the chart.
Protected by: MDO (Defender for Office 365) and EOP.
Tag: Leave the value All or remove it, double-click in the empty box, and then select Priority account. For more information about user tags, see User tags.
Direction: Leave the value All or remove it, double-click in the empty box, and then select Inbound, Outbound, or Intra-org.
Domain: Leave the value All or remove it, double-click in the empty box, and then select an accepted domain.
Policy type: Leave the value All or remove it, double-click in the empty box, and then select one of the following values:
Anti-malware
Safe Attachments
Anti-phish
Anti-spam
Mail flow rule (transport rule)
Others
When you're finished configuring the filters, select Apply, Cancel, or
Clear filters.
View data by Email > Phish and Chart breakdown by Detection Technology
Note
In May 2021, phishing detections in email were updated to include message attachments that contain phishing URLs. This change might shift some of the detection volume out of the View data by Email > Malware view and into the View data by Email > Phish view. In other words, message attachments with phishing URLs that were traditionally identified as malware now might be identified as phishing instead.
In the View data by Email > Phish and Chart breakdown by Detection Technology view, the following information is shown in the chart:
Advanced filter: Phishing signals based on machine learning.
Campaign*: Messages identified as part of a campaign.
File detonation*: Safe Attachments detected a malicious attachment during detonation analysis.
File detonation reputation*: File attachments previously detected by Safe Attachments detonations in other Microsoft 365 organizations.
File reputation: The message contains a file that was previously identified as malicious in other Microsoft 365 organizations.
Fingerprint matching: The message closely resembles a previous detected malicious message.
General filter: Phishing signals based on analyst rules.
Impersonation brand: Sender impersonation of well-known brands.
Impersonation domain*: Impersonation of sender domains that you own or specified for protection in anti-phishing policies.
Impersonation user*: Impersonation of protected senders that you specified in anti-phishing policies or learned through mailbox intelligence.
Mailbox intelligence impersonation*: Impersonation detections from mailbox intelligence in anti-phishing policies.
Mixed analysis detection: Multiple filters contributed to the message verdict.
Protected by: MDO (Defender for Office 365) and EOP
Direction: Leave the value All or remove it, double-click in the empty box, and then select Inbound, Outbound, or Intra-org.
Tag: Leave the value All or remove it, double-click in the empty box, and then select Priority account. For more information about user tags, see User tags.
Domain: Leave the value All or remove it, double-click in the empty box, and then select an accepted domain.
Policy type: Select All or one of the following values:
Anti-malware
Safe Attachments
Anti-phish
Anti-spam
Mail flow rule (transport rule)
Others
Policy name (details table view only): Select All or a specific policy.
Recipients (separated by commas)
When you're finished configuring the filters, select Apply, Cancel, or
Clear filters.
If you select an entry from the details table by clicking anywhere in the row other than the check box next to the first column, an email details flyout opens. This details flyout is known as the Email summary panel and contains summarized information that's also available on the Email entity page in Defender for Office 365 for the message. For details about the information in the Email summary panel, see The Email summary panel.
In Defender for Microsoft 365, the following actions are available at the top of the Email summary panel for the Threat protection status report:
Domain reputation: The message was from a domain that was previously identified as sending spam in other Microsoft 365 organizations.
Fingerprint matching: The message closely resembles a previous detected malicious message.
General filter
IP reputation: The message was from a source that was previously identified as sending spam in other Microsoft 365 organizations.
Mixed analysis detection: Multiple filters contributed to the verdict for the message.
URL malicious reputation: The message contains a URL that was previously identified as malicious in other Microsoft 365 organizations.
In the details table below the chart, the following information is available:
Date
Subject
Sender
Recipients
Detection technology: The same detection technology values from the chart.
Delivery status
Sender IP
Tags: For more information about user tags, see User tags.
To see all columns, you likely need to do one or more of the following steps:
Horizontally scroll in your web browser.
Narrow the width of appropriate columns.
Zoom out in your web browser.
Select
Filter to modify the report by selecting one or more of the following values in the flyout that opens:
Date (UTC)Start date and End date
Detection: The same values as in the chart.
Bulk complaint level: When the Detection value Bulk is selected, the slider is available to filter the report by the selected BCL range. You can use this information to confirm or adjust the BCL threshold in anti-spam policies to allow more or less bulk email into your organization.
If the Detection value Bulk isn't selected, the slider is grayed-out and bulk detections aren't included in the report.
Direction: All or enter Inbound, Outbound and Intra-org.
Direction: Leave the value All or remove it, double-click in the empty box, and then select Inbound, Outbound, or Intra-org.
Tag: Leave the value All or remove it, double-click in the empty box, and then select Priority account. For more information about user tags, see User tags.
Domain: Leave the value All or remove it, double-click in the empty box, and then select an accepted domain.
Policy type: Select All or one of the following values:
Anti-malware
Safe Attachments
Anti-phish
Anti-spam
Mail flow rule (transport rule)
Others
Policy name (details table view only): Select All or a specific policy.
Recipients
When you're finished configuring the filters, select Apply, Cancel, or
Clear filters.
If you select an entry from the details table by clicking anywhere in the row other than the check box next to the first column, an email details flyout opens. This details flyout is known as the Email summary panel and contains summarized information that's also available on the Email entity page in Defender for Office 365 for the message. For details about the information in the Email summary panel, see The Email summary panel.
In Defender for Microsoft 365, the following actions are available at the top of the Email summary panel for the Threat protection status report:
View data by Email > Malware and Chart breakdown by Detection Technology
Note
In May 2021, malware detections in email were updated to include harmful URLs in messages attachments. This change might shift some of the detection volume out of the View data by Email > Phish view and into the View data by Email > Malware view. In other words, harmful URLs in message attachments that were traditionally identified as phishing now might be identified as malware instead.
In the View data by Email > Malware and Chart breakdown by Detection Technology view, the following information is shown in the chart:
File detonation*: Safe Attachments detected a malicious attachment during detonation analysis.
File detonation reputation*: File attachments previously detected by Safe Attachments detonations in other Microsoft 365 organizations.
File reputation: The message contains a file that was previously identified as malicious in other Microsoft 365 organizations.
Anti-malware engine*: Detection from anti-malware.
URL malicious reputation
URL detonation*: Safe Links detected a malicious URL in the message during detonation analysis.
URL detonation reputation*: URLs previously detected by Safe Links detonations in other Microsoft 365 organizations.
Campaign*: Messages identified as part of a campaign.
* Defender for Office 365 only
In the details table below the chart, the following information is available:
Date
Subject
Sender
Recipients
Detection technology: The same detection technology values from the chart.
Delivery Status
Sender IP
Tags: For more information about user tags, see User tags.
To see all columns, you likely need to do one or more of the following steps:
Horizontally scroll in your web browser.
Narrow the width of appropriate columns.
Zoom out in your web browser.
Select
Filter to modify the report by selecting one or more of the following values in the flyout that opens:
Protected by: MDO (Defender for Office 365) and EOP
Direction: Leave the value All or remove it, double-click in the empty box, and then select Inbound, Outbound, or Intra-org.
Tag: Leave the value All or remove it, double-click in the empty box, and then select Priority account. For more information about user tags, see User tags.
Domain: Leave the value All or remove it, double-click in the empty box, and then select an accepted domain.
Policy type: Select All or one of the following values:
Anti-malware
Safe Attachments
Anti-phish
Anti-spam
Mail flow rule (transport rule)
Others
Policy name (details table view only): Select All or a specific policy.
Recipients (separated by commas)
When you're finished configuring the filters, select Apply, Cancel, or
Clear filters.
If you select an entry from the details table by clicking anywhere in the row other than the check box next to the first column, an email details flyout opens. This details flyout is known as the Email summary panel and contains summarized information that's also available on the Email entity page in Defender for Office 365 for the message. For details about the information in the Email summary panel, see The Email summary panel.
In Defender for Microsoft 365, the following actions are available at the top of the Email summary panel for the Threat protection status report:
In the View data by Email > Phish, View data by Email > Spam, or View data by Email > Malware views, selecting Chart breakdown by Policy type shows the following information in the chart:
Anti-malware
Safe Attachments*
Anti-phish
Anti-spam
Mail flow rule (also known as a transport rule)
Others
In the details table below the chart, the following information is available:
Date
Subject
Sender
Recipients
Detection technology: The same detection technology values from the chart.
Delivery status
Sender IP
Tags: For more information about user tags, see User tags.
To see all columns, you likely need to do one or more of the following steps:
Horizontally scroll in your web browser.
Narrow the width of appropriate columns.
Zoom out in your web browser.
Select
Filter to modify the report by selecting one or more of the following values in the flyout that opens:
Date (UTC)Start date and End date
Detection: Detection technology values as previously described in this article and at Detection technologies.
Protected by: MDO (Defender for Office 365) and EOP
Direction: Leave the value All or remove it, double-click in the empty box, and then select Inbound, Outbound, or Intra-org.
Tag: Leave the value All or remove it, double-click in the empty box, and then select Priority account. For more information about user tags, see User tags.
Domain: Leave the value All or remove it, double-click in the empty box, and then select an accepted domain.
Policy type: Select All or one of the following values:
Anti-malware
Safe Attachments
Anti-phish
Anti-spam
Mail flow rule (transport rule)
Others
Policy name (details table view only): Select All or a specific policy.
Recipients (separated by commas)
* Defender for Office 365 only
When you're finished configuring the filters, select Apply, Cancel, or
Clear filters.
If you select an entry from the details table by clicking anywhere in the row other than the check box next to the first column, an email details flyout opens. This details flyout is known as the Email summary panel and contains summarized information that's also available on the Email entity page in Defender for Office 365 for the message. For details about the information in the Email summary panel, see The Email summary panel.
In Defender for Microsoft 365, the following actions are available at the top of the Email summary panel for the Threat protection status report:
In the View data by Email > Phish, View data by Email > Spam, or View data by Email > Malware views, selecting Chart breakdown by Delivery status shows the following information in the chart:
Hosted mailbox: Inbox
Hosted mailbox: Junk
Hosted mailbox: Custom folder
Hosted mailbox: Deleted Items
Forwarded
On-premises server: Delivered
Quarantine
Delivery failed
Dropped
In the details table below the chart, the following information is available:
Date
Subject
Sender
Recipients
Detection technology: The same detection technology values from the chart.
Delivery status
Sender IP
Tags: For more information about user tags, see User tags.
To see all columns, you likely need to do one or more of the following steps:
Horizontally scroll in your web browser.
Narrow the width of appropriate columns.
Zoom out in your web browser.
Select
Filter to modify the report by selecting one or more of the following values in the flyout that opens:
Date (UTC)Start date and End date
Detection: Detection technology values as previously described in this article and at Detection technologies.
Protected by: MDO (Defender for Office 365) and EOP
Direction: Leave the value All or remove it, double-click in the empty box, and then select Inbound, Outbound, or Intra-org.
Tag: Leave the value All or remove it, double-click in the empty box, and then select Priority account. For more information about user tags, see User tags.
Domain: Leave the value All or remove it, double-click in the empty box, and then select an accepted domain.
Policy type: Select All or one of the following values:
Anti-malware
Safe Attachments
Anti-phish
Anti-spam
Mail flow rule (transport rule)
Others
Policy name (details table view only): Select All or a specific policy.
Recipients (separated by commas)
* Defender for Office 365 only
When you're finished configuring the filters, select Apply, Cancel, or
Clear filters.
If you select an entry from the details table by clicking anywhere in the row other than the check box next to the first column, an email details flyout opens. This details flyout is known as the Email summary panel and contains summarized information that's also available on the Email entity page in Defender for Office 365 for the message. For details about the information in the Email summary panel, see The Email summary panel.
In Defender for Microsoft 365, the following actions are available at the top of the Email summary panel for the Threat protection status report:
In the details table below the chart, the following information is available:
Date
Subject
Sender
Recipients
System override
Sender IP
Tags: For more information about user tags, see User tags.
Select
Filter to modify the report by selecting one or more of the following values in the flyout that opens:
Date (UTC)Start date and End date
Reason: The same values as the chart.
Delivery Location: Junk Mail folder not enabled and SecOps mailbox.
Direction: Leave the value All or remove it, double-click in the empty box, and then select Inbound, Outbound, or Intra-org.
Tag: Leave the value All or remove it, double-click in the empty box, and then select Priority account. For more information about user tags, see User tags.
Domain: Leave the value All or remove it, double-click in the empty box, and then select an accepted domain.
Policy type: Select All or one of the following values:
Anti-malware
Safe Attachments
Anti-phish
Anti-spam
Mail flow rule (transport rule)
Others
Policy name (details table view only): Select All or a specific policy.
Recipients (separated by commas)
When you're finished configuring the filters, select Apply, Cancel, or
Clear filters.
On the Threat protection status page, the
Export action is available.
View data by System override and Chart breakdown by Delivery location
In the View data by System override and Chart breakdown by Delivery location view, the following override reason information is shown in the chart:
Delivery Location: Junk Mail folder not enabled and SecOps mailbox.
Direction: Leave the value All or remove it, double-click in the empty box, and then select Inbound, Outbound, or Intra-org.
Tag: Leave the value All or remove it, double-click in the empty box, and then select Priority account. For more information about user tags, see User tags.
Domain: Leave the value All or remove it, double-click in the empty box, and then select an accepted domain.
Policy type: Select All or one of the following values:
Anti-malware
Safe Attachments
Anti-phish
Anti-spam
Mail flow rule (transport rule)
Others
Policy name (details table view only): Select All or a specific policy.
Recipients (separated by commas)
When you're finished configuring the filters, select Apply, Cancel, or
Clear filters.
On the Threat protection status page, the
Export action is available.
The Top senders and recipients report is available in both EOP and Defender for Office 365; however, the reports contain different data. For example, EOP customers can view information about top malware, spam, and phishing (spoofing) recipients, but not information about malware detected by Safe Attachments or phishing detected by impersonation protection.
The Top senders and recipients report shows the top 20 message senders in the organization, as well as the top 20 recipients for messages that were detected by EOP and Defender for Office 365 protection features. By default, the report shows data for the last week, but data is available for the last 90 days.
On the Top senders and recipients page, a larger version of the pie chart is displayed. The following charts are available:
Show data for Top mail senders (default view)
Show data for Top mail recipients
Show data for Top spam recipients
Show data for Top malware recipients (EOP)
Show data for Top phishing recipients
Show data for Top malware recipients (MDO)
Show data for Top phish recipients (MDO)
Show data for Top intra.org mail senders
Show data for Top intra.org mail recipients
Show data for Top intra.org spam recipients
Show data for Top intra.org malware recipients
Show data for Top intra.org phishing recipients
Show data for Top intra.org phishing recipients (MDO)
Show data for Top intra.org malware recipients (MDO)
Hover over a wedge in the pie chart to see the message count for that specific sender or recipient.
For each chart, the details table below the chart shows the following information:
Email address
Item count
Tags: For more information about user tags, see User tags.
Select
Filter to modify the report by selecting one or more of the following values in the flyout that opens:
Date (UTC)Start date and End date
Tag: Leave the value All or remove it, double-click in the empty box, and then select Priority account. For more information about user tags, see User tags.
When you're finished configuring the filters, select Apply, Cancel, or
Clear filters.
On the Top senders and recipients page, the
Export action is available.
URL protection report
The URL protection report is available only in Microsoft Defender for Office 365. For more information, see URL protection report.
User reported messages report
Important
In order for the User reported messages report to work correctly, audit logging must be turned on in your Microsoft 365 organization (it's on by default). For more information, see Turn auditing on or off.
On the report page, the
Export action is available.
What permissions are needed to view these reports?
You need to be assigned permissions before you can view and use the reports that are described in this article. You have the following options:
Microsoft Defender XDR Unified role based access control (RBAC) (If Email & collaboration > Defender for Office 365 permissions is
Active. Affects the Defender portal only, not PowerShell): Security operations/Security data/Security data basics (read) or Authorization and settings/System settings/manage.
Microsoft Entra permissions: Membership in the Global Administrator¹ ², Security Administrator, Security Reader, or Global Reader roles in Microsoft Entra ID gives users the required permissions and permissions for other features in Microsoft 365.
¹ Membership in the Organization Management role group or in the Global Administrator role is required to use the
Create schedule or
Request report actions in reports (where available).
Important
² Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
What if the reports aren't showing data?
If you don't see data in the reports, check the report filters and double-check that your protection policies are configured to detect and take action on messages. For more information, see the following articles:
Depending on the report and the specific view in the report, one or more of the following actions might be available on the main report page as previously described:
The exported data is affected by any filters that are configured in the report at the time of export.
If the exported data exceeds 150000 entries, the data is split into multiple files.
On the report page, select
Export.
In the Export conditions flyout that opens, review and configure the following settings:
Select a view to export: Select one of the following values:
Summary: Data from the last 90 days is available. This is the default value.
Details: Data from the last 30 days is available. A date range of one day is supported.
Date (UTC):
Start date: The default value is three months ago.
End date: The default value is today.
When you're finished in the Export conditions flyout, select Export.
The Export button changes to Exporting... and a progress bar is shown.
In the Save as dialog that opens, you see the default name of the .csv file and the download location (the local Downloads folder by default), but you can change those values and then select Save to download the exported data.
If you see a dialog that security.microsoft.com wants to download multiple files, select Allow.
Schedule recurring reports
To create scheduled reports, you need to be a member of the Organization management role in Exchange Online or the Global Administrator* role in Microsoft Entra ID.
Important
* Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
On the report page, select
Create schedule to start the new scheduled report wizard.
On the Name scheduled report page, review or customize the Name value, and then select Next.
On the Set preferences page, review or configure the following settings:
Frequency: Select one of the following values:
Weekly (default)
Daily (this value results in no data being shown in charts)
Monthly
Start date: Enter the date when generation of the report begins. The default value is today.
Expiry date: Enter the date when generation of the report ends. The default value is one year from today.
When you're finished on the Set preferences page, select Next.
On the Select filters page, configure the following settings:
Direction: Select one of the following values:
All (default)
Outbound
Inbound
Sender address
Recipient address
When you're finished on the Select filters page, select Next.
On the Recipients page, choose recipients for the report in the Send email to box. The default value is your email address, but you can add others by doing either of the following steps:
Click in the box, wait for the list of users to resolve, and then select the user from the list below the box.
Click in the box, start typing a value, and then select the user from the list below the box.
To remove an entry from the list, select
next to the entry.
When you're finished on the Recipients page, select Next.
On the Review page, review your settings. You can select Edit in each section to modify the settings within the section. Or you can select Back or the specific page in the wizard.
When you're finished on the Review page, select Submit.
On the New scheduled report created page, you can select the links to view the scheduled report or create another report.
When you're finished on the New scheduled report created page, select Done.
The reports are emailed to the specified recipients based on the schedule you configured
The scheduled report entry is available on the Managed schedules page as described in the next subsection.
Manage existing scheduled reports
After you create a scheduled report as described in the previous section, the scheduled report entry is available on the Manage schedules page in the Defender portal.
On the Manage schedules page, the following information is shown for each scheduled report entry:
Schedule start date
Schedule name
Report type
Frequency
Last sent
To change the list from normal to compact spacing, select
Change list spacing to compact or normal, and then select
Compact list.
Use the
Search box to find an existing scheduled report entry.
To modify the scheduled report settings, do the following steps:
Select the scheduled report entry by clicking anywhere in the row other than the check box.
In the details flyout that opens, do any of the following steps:
Select
Edit name to change the name of the scheduled report.
Select the Edit link in the section to modify the corresponding settings.
The settings and configuration steps are the same as described in Schedule report.
To delete a scheduled report entry, use either of the following methods:
Select the check box next to one, more or all of the scheduled reports, and then select the
Delete action that appears on the main page.
Select the scheduled report by clicking anywhere in the row other than the check box, and then select
Delete in the details flyout that opens.
Read the warning dialog that opens, and then select OK.
Back on the Manage schedules page, the deleted scheduled report entry is no longer listed, and previous reports for the scheduled report are deleted and are no longer available for download.
Request on-demand reports for download
To create on-demand reports, you need to be a member of the Organization management role in Exchange Online or the Global Administrator* role in Microsoft Entra ID.
Important
* Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
On the report page, select
Request report to start the new on-demand report wizard.
On the Name on-demand report page, review or customize the Name value, and then select Next.
On the Set preferences page, review or configure the following settings:
Start date: Enter the start date for the report data. The default value is one month ago.
Expiry date: Enter the end date for the report data. The default value is today.
When you're finished on the Name on-demand report page, select Next.
On the Recipients page, choose recipients for the report in the Send email to box. The default value is your email address, but you can add others by doing either of the following steps:
Click in the box, wait for the list of users to resolve, and then select the user from the list below the box.
Click in the box, start typing a value, and then select the user from the list below the box.
To remove an entry from the list, select
next to the entry.
When you're finished on the Recipients page, select Next.
On the Review page, review your settings. You can select Edit in each section to modify the settings within the section. Or you can select Back or the specific page in the wizard.
When you're finished on the Review page, select Submit.
On the New on-demand report created page, you can select the link to create another report.
When you're finished on the New on-demand report created page, select Done.
The report creation task (and eventually the finished report) is available on the Reports for download page as described in the next subsection.
Download reports
To download on-demand reports, you need to be a member of the Organization management role in Exchange Online or the Global Administrator* role in Microsoft Entra ID.
Important
* Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
After you request an on-demand report as described in the previous section, you check the status of the report and eventually download the report on the Reports for download page in the Defender portal.
On the Reports for download page, the following information is shown for each available report:
Start date
Name
Report type
Last sent
Status:
Pending: The report is still being created, and it isn't available to download yet.
Complete - Ready for download: Report generation is complete, and the report is available to download.
Complete - No results found: Report generation is complete, but the report contains no data, so you can't download it.
To download the report, select the check box next in the start date of the report, and then select the
Download report action that appears.
Use the
Search box to find an existing report.
In the Save as dialog that opens, you see the default name of the .csv file and the download location (the local Downloads folder by default), but you can change those values and then select Save to download the report.
This module examines how Microsoft Defender for Office 365 extends EOP protection through various tools, including Safe Attachments, Safe Links, spoofed intelligence, spam filtering policies, and the Tenant Allow/Block List.