Admin review for reported messages
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub. Learn about who can sign up and trial terms here.
In Microsoft 365 organizations with Exchange Online mailboxes and Microsoft Defender for Office 365, admins can now send templated messages back to end users after they review reported messages. The templates can be customized for your organization and based on your admin's verdict as well.
The feature is designed to give feedback to your users but doesn't change the verdicts of messages in the system. To help Microsoft update and improve its filters, you need to submit messages for analysis using Admin submission.
You will only be able to mark and notify users of review results if the message was reported as a false positives or false negatives.
What do you need to know before you begin?
To modify the configuration for User submissions, you need to be a member of one of the following role groups:
You'll also need access to Exchange Online PowerShell. If the account that you're trying to use doesn't have access to Exchange Online PowerShell, you'll receive an error that says Specify an email address in your domain. For more information about enabling or disabling access to Exchange Online PowerShell, see the following topics:
Notify users from within the portal
In the Microsoft 365 Defender portal at https://security.microsoft.com, go to the Submissions page at Email & collaboration > Submissions. To go directly to the Submissions page, use https://security.microsoft.com/reportsubmission.
Click User reported messages, and then select the message you want to mark and notify.
Select the Mark as and notify drop-down, and then select No threats found, Phishing, or Junk.
The reported message will be marked as either false positive or false negative, and an email will be automatically sent from within the portal notifying the user who reported the message.
Customize the messages used to notify users
In the Microsoft 365 Defender portal at https://security.microsoft.com, go to the User submissions page at Email & Collaboration > Policies & Rules > Threat policies > User reported message settings in the Others section. To go directly to the User submissions page, use https://security.microsoft.com/userSubmissionsReportMessage.
On the User submissions page, if you want to specify the sender display name, check the box for Specify Office 365 email address to use as sender under the Email notifications for admin review results section, and enter in the name you wish to use. The email address that will be visible in Outlook and all the replies will go there.
If you want to customize any of the templates, click Customize email notification at the bottom of the page. In the flyout that opens, you can customize only the following:
- No threats found
When you're finished, click Save. To clear these values, click Discard on the User submissions page.
Submit and view feedback for