Recommended settings for EOP and Microsoft Defender for Office 365 security

Tip

Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub. Learn about who can sign up and trial terms here.

Applies to

Exchange Online Protection (EOP) is the core of security for Microsoft 365 subscriptions and helps keep malicious emails from reaching your employee's inboxes. But with new, more sophisticated attacks emerging every day, improved protections are often required. Microsoft Defender for Office 365 Plan 1 or Plan 2 contain additional features that give admins more layers of security, control, and investigation.

Although we empower security administrators to customize their security settings, there are two security levels in EOP and Microsoft Defender for Office 365 that we recommend: Standard and Strict. Although customer environments and needs are different, these levels of filtering will help prevent unwanted mail from reaching your employees' Inbox in most situations.

To automatically apply the Standard or Strict settings to users, see Preset security policies in EOP and Microsoft Defender for Office 365.

This article describes the default settings, and also the recommended Standard and Strict settings to help protect your users. The tables contain the settings in the Microsoft 365 Defender portal and PowerShell (Exchange Online PowerShell or standalone Exchange Online Protection PowerShell for organizations without Exchange Online mailboxes).

Note

The Office 365 Advanced Threat Protection Recommended Configuration Analyzer (ORCA) module for PowerShell can help you (admins) find the current values of these settings. Specifically, the Get-ORCAReport cmdlet generates an assessment of anti-spam, anti-phishing, and other message hygiene settings. You can download the ORCA module at https://www.powershellgallery.com/packages/ORCA/.

In Microsoft 365 organizations, we recommend that you leave the Junk Email Filter in Outlook set to No automatic filtering to prevent unnecessary conflicts (both positive and negative) with the spam filtering verdicts from EOP. For more information, see the following articles:

Anti-spam, anti-malware, and anti-phishing protection in EOP

Anti-spam, anti-malware, and anti-phishing are EOP features that can be configured by admins. We recommend the following Standard or Strict configurations.

EOP anti-spam policy settings

To create and configure anti-spam policies, see Configure anti-spam policies in EOP.

Security feature name Default Standard Strict Comment
Bulk email threshold & spam properties
Bulk email threshold

BulkThreshold
7 6 5 For details, see Bulk complaint level (BCL) in EOP.
MarkAsSpamBulkMail On On On This setting is only available in PowerShell.
Increase spam score settings Off Off Off All of these settings are part of the Advanced Spam Filter (ASF). For more information, see the ASF settings in anti-spam policies section in this article.
Mark as spam settings Off Off Off Most of these settings are part of ASF. For more information, see the ASF settings in anti-spam policies section in this article.
Contains specific languages

EnableLanguageBlockList

LanguageBlockList
Off

$false

Blank
Off

$false

Blank
Off

$false

Blank
We have no specific recommendation for this setting. You can block messages in specific languages based on your business needs.
From these countries

EnableRegionBlockList

RegionBlockList
Off

$false

Blank
Off

$false

Blank
Off

$false

Blank
We have no specific recommendation for this setting. You can block messages from specific countries based on your business needs.
Test mode (TestModeAction) None None None This setting is part of ASF. For more information, see the ASF settings in anti-spam policies section in this article.
Actions Wherever you select Quarantine message, a Select quarantine policy box is available. Quarantine policies define what users are allowed to do to quarantined messages.

Standard and Strict preset security policies use the default quarantine policies (AdminOnlyAccessPolicy or DefaultFullAccessPolicy with no quarantine notifications) as described in the table here.

When you create a new anti-spam policy, a blank value means the default quarantine policy is used to define the historical capabilities for messages that were quarantined by that particular verdict (AdminOnlyAccessPolicy with no quarantine notifications for High confidence phishing; DefaultFullAccessPolicy with no quarantine notifications for everything else).

Admins can create and select custom quarantine policies that define more restrictive or less restrictive capabilities for users in the default or custom anti-spam policies. For more information, see Quarantine policies.
Spam detection action

SpamAction
Move message to Junk Email folder

MoveToJmf
Move message to Junk Email folder

MoveToJmf
Quarantine message

Quarantine
High confidence spam detection action

HighConfidenceSpamAction
Move message to Junk Email folder

MoveToJmf
Quarantine message

Quarantine
Quarantine message

Quarantine
Phishing detection action

PhishSpamAction
Move message to Junk Email folder*

MoveToJmf
Quarantine message

Quarantine
Quarantine message

Quarantine
* The default value is Move message to Junk Email folder in the default anti-spam policy and in new anti-spam policies that you create in PowerShell. The default value is Quarantine message in new anti-spam policies that you create in the Microsoft 365 Defender portal.
High confidence phishing detection action

HighConfidencePhishAction
Quarantine message

Quarantine
Quarantine message

Quarantine
Quarantine message

Quarantine
Bulk detection action

BulkSpamAction
Move message to Junk Email folder

MoveToJmf
Move message to Junk Email folder

MoveToJmf
Quarantine message

Quarantine
Retain spam in quarantine for this many days

QuarantineRetentionPeriod
15 days 30 days 30 days

This value also affects messages that are quarantined by anti-phishing policies. For more information, see Quarantined email messages in EOP.
Enable spam safety tips

InlineSafetyTipsEnabled
Selected

$true
Selected

$true
Selected

$true
Enable zero-hour auto purge (ZAP) for phishing messages

PhishZapEnabled
Selected

$true
Selected

$true
Selected

$true
Enable ZAP for spam messages

SpamZapEnabled
Selected

$true
Selected

$true
Selected

$true
Allow & block list
Allowed senders

AllowedSenders
None None None
Allowed sender domains

AllowedSenderDomains
None None None Adding domains to the allowed senders list is a very bad idea. Attackers would be able to send you email that would otherwise be filtered out.

Use the spoof intelligence insight and the Tenant Allow/Block List to review all senders who are spoofing sender email addresses in your organization's email domains or spoofing sender email addresses in external domains.
Blocked senders

BlockedSenders
None None None
Blocked sender domains

BlockedSenderDomains
None None None

ASF settings in anti-spam policies

For more information about Advanced Spam Filter (ASF) settings in anti-spam policies, see Advanced Spam Filter (ASF) settings in EOP.

Security feature name Default Recommended
Standard
Recommended
Strict
Comment
Image links to remote sites

IncreaseScoreWithImageLinks
Off Off Off
Numeric IP address in URL

IncreaseScoreWithNumericIps
Off Off Off
URL redirect to other port

IncreaseScoreWithRedirectToOtherPort
Off Off Off
Links to .biz or .info websites

IncreaseScoreWithBizOrInfoUrls
Off Off Off
Empty messages

MarkAsSpamEmptyMessages
Off Off Off
Embed tags in HTML

MarkAsSpamEmbedTagsInHtml
Off Off Off
JavaScript or VBScript in HTML

MarkAsSpamJavaScriptInHtml
Off Off Off
Form tags in HTML

MarkAsSpamFormTagsInHtml
Off Off Off
Frame or iframe tags in HTML

MarkAsSpamFramesInHtml
Off Off Off
Web bugs in HTML

MarkAsSpamWebBugsInHtml
Off Off Off
Object tags in HTML

MarkAsSpamObjectTagsInHtml
Off Off Off
Sensitive words

MarkAsSpamSensitiveWordList
Off Off Off
SPF record: hard fail

MarkAsSpamSpfRecordHardFail
Off Off Off
Sender ID filtering hard fail

MarkAsSpamFromAddressAuthFail
Off Off Off
Backscatter

MarkAsSpamNdrBackscatter
Off Off Off
Test mode

TestModeAction)
None None None For ASF settings that support Test as an action, you can configure the test mode action to None, Add default X-Header text, or Send Bcc message (None, AddXHeader, or BccMessage). For more information, see Enable, disable, or test ASF settings.

EOP outbound spam policy settings

To create and configure outbound spam policies, see Configure outbound spam filtering in EOP.

For more information about the default sending limits in the service, see Sending limits.

Note

Outbound spam policies are not part of Standard or Strict preset security policies. The Standard and Strict values indicate our recommended values in the default outbound spam policy or custom outbound spam policies that you create.

Security feature name Default Recommended
Standard
Recommended
Strict
Comment
Set an external message limit

RecipientLimitExternalPerHour
0 500 400 The default value 0 means use the service defaults.
Set an internal message limit

RecipientLimitInternalPerHour
0 1000 800 The default value 0 means use the service defaults.
Set a daily message limit

RecipientLimitPerDay
0 1000 800 The default value 0 means use the service defaults.
Restriction placed on users who reach the message limit

ActionWhenThresholdReached
Restrict the user from sending mail until the following day

BlockUserForToday
Restrict the user from sending mail

BlockUser
Restrict the user from sending mail

BlockUser
Automatic forwarding rules

AutoForwardingMode
Automatic - System-controlled

Automatic
Automatic - System-controlled

Automatic
Automatic - System-controlled

Automatic
Send a copy of outbound messages that exceed these limits to these users and groups

BccSuspiciousOutboundMail

BccSuspiciousOutboundAdditionalRecipients
Not selected

$false

Blank
Not selected

$false

Blank
Not selected

$false

Blank
We have no specific recommendation for this setting.

This setting only works in the default outbound spam policy. It doesn't work in custom outbound spam policies that you create.
Notify these users and groups if a sender is blocked due to sending outbound spam

NotifyOutboundSpam

NotifyOutboundSpamRecipients
Not selected

$false

Blank
Not selected

$false

Blank
Not selected

$false

Blank
The default alert policy named User restricted from sending email already sends email notifications to members of the TenantAdmins (Global admins) group when users are blocked due to exceeding the limits in policy. We strongly recommend that you use the alert policy rather than this setting in the outbound spam policy to notify admins and other users. For instructions, see Verify the alert settings for restricted users.

EOP anti-malware policy settings

To create and configure anti-malware policies, see Configure anti-malware policies in EOP.

Security feature name Default Standard Strict Comment
Protection settings
Enable the common attachments filter

EnableFileFilter
Selected

$true
Selected

$true
Selected

$true
This setting quarantines messages that contain attachments based on file type, regardless of the attachment content. For the list of file types, see Anti-malware policies.
Common attachment filter notifications (When these file types are found)

FileTypeAction
Reject the messages with a non-delivery receipt (NDR)

Reject
Reject the messages with a non-delivery receipt (NDR)

Reject
Reject the messages with a non-delivery receipt (NDR)

Reject
Enable zero-hour auto purge for malware

ZapEnabled
Selected

$true
Selected

$true
Selected

$true
Quarantine policy AdminOnlyAccessPolicy AdminOnlyAccessPolicy AdminOnlyAccessPolicy When you create a new anti-malware policy, a blank value means the default quarantine policy is used to define the historical capabilities for messages that were quarantined as malware (AdminOnlyAccessPolicy with no quarantine notifications).

Standard and Strict preset security policies use the default quarantine policy (AdminOnlyAccessPolicy with no quarantine notifications) as described in the table here.

Admins can create and select custom quarantine policies that define more capabilities for users in the default or custom anti-malware policies. For more information, see Quarantine policies.
Admin notifications
Notify an admin about undelivered messages from internal senders

EnableInternalSenderAdminNotifications

InternalSenderAdminAddress
Not selected

$false
Not selected

$false
Not selected

$false
We have no specific recommendation for this setting.
Notify an admin about undelivered messages from external senders

EnableExternalSenderAdminNotifications

ExternalSenderAdminAddress
Not selected

$false
Not selected

$false
Not selected

$false
We have no specific recommendation for this setting.
Customize notifications We have no specific recommendations for these settings.
Use customized notification text

CustomNotifications
Not selected

$false
Not selected

$false
Not selected

$false
From name

CustomFromName
Blank

$null
Blank

$null
Blank

$null
From address

CustomFromAddress
Blank

$null
Blank

$null
Blank

$null
Customize notifications for messages from internal senders These settings are used only if Notify an admin about undelivered messages from internal senders is selected.
Subject

CustomInternalSubject
Blank

$null
Blank

$null
Blank

$null
Message

CustomInternalBody
Blank

$null
Blank

$null
Blank

$null
Customize notifications for messages from external senders These settings are used only if Notify an admin about undelivered messages from external senders is selected.
Subject

CustomExternalSubject
Blank

$null
Blank

$null
Blank

$null
Message

CustomExternalBody
Blank

$null
Blank

$null
Blank

$null

EOP anti-phishing policy settings

For more information about these settings, see Spoof settings. To configure these settings, see Configure anti-phishing policies in EOP.

The spoof settings are inter-related, but the Show first contact safety tip setting has no dependency on spoof settings.

Security feature name Default Standard Strict Comment
Phishing threshold & protection
Enable spoof intelligence

EnableSpoofIntelligence
Selected

$true
Selected

$true
Selected

$true
Actions
If message is detected as spoof

AuthenticationFailAction
Move message to the recipients' Junk Email folders

MoveToJmf
Move message to the recipients' Junk Email folders

MoveToJmf
Quarantine the message

Quarantine
This setting applies to spoofed senders that were automatically blocked as shown in the spoof intelligence insight or manually blocked in the Tenant Allow/Block List.

If you select Quarantine the message, an Apply quarantine policy box is available to select the quarantine policy that defines what users are allowed to do to messages that are quarantined as spoofing. When you create a new anti-phishing policy, a blank value means the default quarantine policy is used to define the historical capabilities for messages that were quarantined as spoofing (DefaultFullAccessPolicy with no quarantine notifications).

Standard and Strict preset security policies use the default quarantine policy (DefaultFullAccessPolicy with no quarantine notifications) as described in the table here.

Admins can create and select custom quarantine policies that define more restrictive or less restrictive capabilities for users in the default or custom anti-phishing policies. For more information, see Quarantine policies.
Show first contact safety tip

EnableFirstContactSafetyTips
Not selected

$false
Not selected

$false
Not selected

$false
For more information, see First contact safety tip.
Show (?) for unauthenticated senders for spoof

EnableUnauthenticatedSender
Selected

$true
Selected

$true
Selected

$true
Adds a question mark (?) to the sender's photo in Outlook for unidentified spoofed senders. For more information, see Unauthenticated sender indicators.
Show "via" tag

EnableViaTag
Selected

$true
Selected

$true
Selected

$true
Adds a via tag (chris@contoso.com via fabrikam.com) to the From address if it's different from the domain in the DKIM signature or the MAIL FROM address.

For more information, see Unauthenticated sender indicators.

Microsoft Defender for Office 365 security

Additional security benefits come with a Microsoft Defender for Office 365 subscription. For the latest news and information, you can see What's new in Defender for Office 365.

Important

If your subscription includes Microsoft Defender for Office 365 or if you've purchased Defender for Office 365 as an add-on, set the following Standard or Strict configurations.

Anti-phishing policy settings in Microsoft Defender for Office 365

EOP customers get basic anti-phishing as previously described, but Defender for Office 365 includes more features and control to help prevent, detect, and remediate against attacks. To create and configure these policies, see Configure anti-phishing policies in Defender for Office 365.

Advanced settings in anti-phishing policies in Microsoft Defender for Office 365

For more information about this setting, see Advanced phishing thresholds in anti-phishing policies in Microsoft Defender for Office 365. To configure this setting, see Configure anti-phishing policies in Defender for Office 365.

Security feature name Default Standard Strict Comment
Phishing email threshold

PhishThresholdLevel
1 - Standard

1
2 - Aggressive

2
3 - More aggressive

3

Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365

For more information about these settings, see Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365. To configure these settings, see Configure anti-phishing policies in Defender for Office 365.

Security feature name Default Standard Strict Comment
Phishing threshold & protection
Enable users to protect (impersonated user protection)

EnableTargetedUserProtection

TargetedUsersToProtect
Not selected

$false

none
Selected

$true

<list of users>
Selected

$true

<list of users>
We recommend adding users (message senders) in key roles. Internally, protected senders might be your CEO, CFO, and other senior leaders. Externally, protected senders could include council members or your board of directors.
Enable domains to protect (impersonated domain protection) Not selected Selected Selected
Include domains I own

EnableOrganizationDomainsProtection
Off

$false
Selected

$true
Selected

$true
Include custom domains

EnableTargetedDomainsProtection

TargetedDomainsToProtect
Off

$false

none
Selected

$true

<list of domains>
Selected

$true

<list of domains>
We recommend adding domains (sender domains) that you don't own, but you frequently interact with.
Add trusted senders and domains

ExcludedSenders

ExcludedDomains
None None None Depending on your organization, we recommend adding senders or domains that are incorrectly identified as impersonation attempts.
Enable mailbox intelligence

EnableMailboxIntelligence
Selected

$true
Selected

$true
Selected

$true
Enable intelligence for impersonation protection

EnableMailboxIntelligenceProtection
Off

$false
Selected

$true
Selected

$true
This setting allows the specified action for impersonation detections by mailbox intelligence.
Actions Wherever you select Quarantine the message, a Select quarantine policy box is available. Quarantine policies define what users are allowed to do to quarantined messages.

Standard and Strict preset security policies use the default quarantine policy (DefaultFullAccessPolicy with no quarantine notifications) as described in the table here.

When you create a new anti-phishing policy, a blank value means the default quarantine policy is used to define the historical capabilities for messages that were quarantined by that verdict (DefaultFullAccessPolicy for all impersonation detection types).

Admins can create and select custom quarantine policies that define less restrictive or more restrictive capabilities for users in the default or custom anti-phishing policies. For more information, see Quarantine policies.
If message is detected as an impersonated user

TargetedUserProtectionAction
Don't apply any action

NoAction
Quarantine the message

Quarantine
Quarantine the message

Quarantine
If message is detected as an impersonated domain

TargetedDomainProtectionAction
Don't apply any action

NoAction
Quarantine the message

Quarantine
Quarantine the message

Quarantine
If mailbox intelligence detects an impersonated user

MailboxIntelligenceProtectionAction
Don't apply any action

NoAction
Move message to the recipients' Junk Email folders

MoveToJmf
Quarantine the message

Quarantine
Show user impersonation safety tip

EnableSimilarUsersSafetyTips
Off

$false
Selected

$true
Selected

$true
Show domain impersonation safety tip

EnableSimilarDomainsSafetyTips
Off

$false
Selected

$true
Selected

$true
Show user impersonation unusual characters safety tip

EnableUnusualCharactersSafetyTips
Off

$false
Selected

$true
Selected

$true

EOP anti-phishing policy settings in Microsoft Defender for Office 365

These are the same settings that are available in anti-spam policy settings in EOP.

Safe Attachments settings

Safe Attachments in Microsoft Defender for Office 365 includes global settings that have no relationship to Safe Attachments policies, and settings that are specific to each Safe Links policy. For more information, see Safe Attachments in Defender for Office 365.

Although there's no default Safe Attachments policy, the Built-in protection preset security policy provides Safe Attachments protection to all recipients (users who aren't defined in the Standard or Strict preset security policies or in custom Safe Attachments policies). For more information, see Preset security policies in EOP and Microsoft Defender for Office 365.

Global settings for Safe Attachments

Note

The global settings for Safe Attachments are set by the Built-in protection preset security policy, but not by the Standard or Strict preset security policies. Either way, admins can modify these global Safe Attachments settings at any time.

The Default column shows the values before the existence of the Built-in protection preset security policy. The Built-in protection column shows the values that are set by the Built-in protection preset security policy, which are also our recommended values.

To configure these settings, see Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams and Safe Documents in Microsoft 365 E5.

In PowerShell, you use the Set-AtpPolicyForO365 cmdlet for these settings.

Security feature name Default Built-in protection Comment
Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams

EnableATPForSPOTeamsODB
Off

$false
On

$true
To prevent users from downloading malicious files, see Use SharePoint Online PowerShell to prevent users from downloading malicious files.
Turn on Safe Documents for Office clients

EnableSafeDocs
Off

$false
On

$true
This feature is available and meaningful only with licenses that are not included in Defender for Office 365 (for example, Microsoft 365 A5 or Microsoft 365 E5 Security). For more information, see Safe Documents in Microsoft 365 A5 or E5 Security.
Allow people to click through Protected View even if Safe Documents identified the file as malicious

AllowSafeDocsOpen
Off

$false
Off

$false
This setting is related to Safe Documents.

Safe Attachments policy settings

To configure these settings, see Set up Safe Attachments policies in Defender for Office 365.

In PowerShell, you use the New-SafeAttachmentPolicy and Set-SafeAttachmentPolicy cmdlets for these settings.

Note

As described earlier, there is no default Safe Attachments policy, but Safe Attachments protection is assigned to all recipients by the Built-in protection preset security policy (users who aren't defined in any Safe Attachments policies).

The Default in custom column refers to the default values in new Safe Attachments policies that you create. The remaining columns indicate (unless otherwise noted) the values that are configured in the corresponding preset security policies.

Security feature name Default in custom Built-in protection Standard Strict Comment
Safe Attachments unknown malware response

Enable and Action
Off

-Enable $false and -Action Block
Block

-Enable $true and -Action Block
Block

-Enable $true and -Action Block
Block

-Enable $true and -Action Block
When the Enable parameter is $false, the value of the Action parameter doesn't matter.
Quarantine policy (QuarantineTag) AdminOnlyAccessPolicy AdminOnlyAccessPolicy AdminOnlyAccessPolicy AdminOnlyAccessPolicy

Standard and Strict preset security policies use the default quarantine policy (AdminOnlyAccessPolicy with no quarantine notifications) as described in the table here.

When you create a new Safe Attachments policy, a blank value means the default quarantine policy is used to define the historical capabilities for messages that were quarantined by Safe Attachments (AdminOnlyAccessPolicy with no quarantine notifications).

Admins can create and select custom quarantine policies that define more capabilities for users. For more information, see Quarantine policies.
Redirect attachment with detected attachments : Enable redirect

Redirect

RedirectAddress
Not selected and no email address specified.

-Redirect $false

RedirectAddress is blank ($null)
Not selected and no email address specified.

-Redirect $false

RedirectAddress is blank ($null)
Selected and specify an email address.

$true

an email address
Selected and specify an email address.

$true

an email address
Redirect messages to a security admin for review.

Note: This setting is not configured in the Standard, Strict, or Built-in protection preset security policies. The Standard and Strict values indicate our recommended values in new Safe Attachments policies that you create.
Apply the Safe Attachments detection response if scanning can't complete (timeout or errors)

ActionOnError
Selected

$true
Selected

$true
Selected

$true
Selected

$true

Safe Links in Defender for Office 365 includes global settings that apply to all users who are included in active Safe Links policies, and settings that are specific to each Safe Links policy. For more information, see Safe Links in Defender for Office 365.

Although there's no default Safe Links policy, the Built-in protection preset security policy provides Safe Links protection to all recipients (users who aren't defined in the Standard or Strict preset security policies or in custom Safe Links policies). For more information, see Preset security policies in EOP and Microsoft Defender for Office 365.

Note

The global settings for Safe Links are set by the Built-in protection preset security policy, but not by the Standard or Strict preset security policies. Either way, admins can modify these global Safe Links settings at any time.

The Default column shows the values before the existence of the Built-in protection preset security policy. The Built-in protection column shows the values that are set by the Built-in protection preset security policy, which are also our recommended values.

To configure these settings, see Configure global settings for Safe Links in Defender for Office 365.

In PowerShell, you use the Set-AtpPolicyForO365 cmdlet for these settings.

Security feature name Default Built-in protection Comment
Block the following URLs

ExcludedUrls
Blank

$null
Blank

$null
We have no specific recommendation for this setting.

For more information, see "Block the following URLs" list for Safe Links.

Note: You can now manage block URL entries in the Tenant Allow/Block List. The "Block the following URLs" list is in the process of being deprecated. We'll attempt to migrate existing entries from the "Block the following URLs" list to block URL entries in the Tenant Allow/Block List. Messages containing the blocked URL will be quarantined.

To configure these settings, see Set up Safe Links policies in Microsoft Defender for Office 365.

In PowerShell, you use the New-SafeLinksPolicy and Set-SafeLinksPolicy cmdlets for these settings.

Note

As described earlier, there's no default Safe Links policy, but Safe Links protection is assigned to all recipients by the Built-in protection preset security policy (users who otherwise aren't included in any Safe Links policies).

The Default in custom column refers to the default values in new Safe Links policies that you create. The remaining columns indicate (unless otherwise noted) the values that are configured in the corresponding preset security policies.

Security feature name Default in custom Built-in protection Standard Strict Comment
URL & click protection settings
Action on potentially malicious URLs within Emails
On: Safe Links checks a list of known, malicious links when users click links in email

EnableSafeLinksForEmail
Not selected

$false
Selected

$true
Selected

$true
Selected

$true
Apply Safe Links to email messages sent within the organization

EnableForInternalSenders
Not selected

$false
Not selected

$false
Selected

$true
Selected

$true
Apply real-time URL scanning for suspicious links and links that point to files

ScanUrls
Not selected

$false
Selected

$true
Selected

$true
Selected

$true
Wait for URL scanning to complete before delivering the message

DeliverMessageAfterScan
Not selected

$false
Selected

$true
Selected

$true
Selected

$true
Do not rewrite URLs, do checks via Safe Links API only

DisableURLRewrite
Not selected

$false
Selected

$true
Not selected

$false
Not selected

$false
Do not rewrite the following URLs in email

DoNotRewriteUrls
Blank

$null
Blank

$null
Blank

$null
Blank

$null
We have no specific recommendation for this setting.

Note: Entries in the "Do not rewrite the following URLs" list are not scanned or wrapped by Safe Links during mail flow. Use allow URL entries in the Tenant Allow/Block List so URLs are not scanned or wrapped by Safe Links during mail flow and at time of click.
Action for potentially malicious URLs in Microsoft Teams
On: Safe Links checks a list of known, malicious links when users click links in Microsoft Teams

EnableSafeLinksForTeams
Not selected

$false
Selected

$true
Selected

$true
Selected

$true
Action for potentially malicious URLs in Microsoft Office apps
On: Safe Links checks a list of known, malicious links when users click links in Microsoft Office apps

EnableSafeLinksForOffice
Selected

$true
Selected

$true
Selected

$true
Selected

$true
Use Safe Links in supported Office 365 desktop and mobile (iOS and Android) apps. For more information, see Safe Links settings for Office apps.
Click protection settings
Track user clicks

TrackUserClicks
Selected

$true
Selected

$true
Selected

$true
Selected

$true
Let users click through to the original URL

AllowClickThrough
Selected

$true
Selected

$true
Not selected

$false
Not selected

$false
Turning off this setting (setting AllowClickThrough to $false) prevents click through to the original URL.
Display the organization branding on notification and warning pages

EnableOrganizationBranding
Not selected

$false
Not selected

$false
Not selected

$false
Not selected

$false
We have no specific recommendation for this setting.

Before you turn on this setting, you need to follow the instructions in Customize the Microsoft 365 theme for your organization to upload your company logo.
Notification
How would you like to notify your users?

CustomNotificationText

UseTranslatedNotificationText
Use the default notification text

Blank ($null)

$false
Use the default notification text

Blank ($null)

$false
Use the default notification text

Blank ($null)

$false
Use the default notification text

Blank ($null)

$false
We have no specific recommendation for this setting.

You can select Use custom notification text (-CustomNotificationText "<Custom text>") to enter and use customized notification text. If you specify custom text, you can also select Use Microsoft Translator for automatic localization (-UseTranslatedNotificationText $true) to automatically translate the text into the user's language.