Configure global settings for Safe Links in Microsoft Defender for Office 365

Tip

Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub. Learn about who can sign up and trial terms here.

Applies to

• Microsoft Defender for Office 365 plan 1 and plan 2
• Microsoft 365 Defender

Important

The Global settings menu and the Block the following URLs list for Safe Links are in the process of being deprecated. Use block entries for URLs in the Tenant Allow/Block List instead.

This article is intended for business customers who have Microsoft Defender for Office 365. If you are a home user looking for information about Safelinks in Outlook, see Advanced Outlook.com security.

Safe Links is a feature in Microsoft Defender for Office 365 that provides URL scanning of inbound email messages in mail flow, and time of click verification of URLs and links in email messages and in other locations. For more information, see Safe Links in Microsoft Defender for Office 365.

You configure most Safe Links settings in Safe Links policies, including Safe Links settings for supported Office Apps. For instructions, see Set up Safe Links policies in Microsoft Defender for Office 365.

But, Safe Links also uses the following global settings that you configure outside of the Safe Links policies themselves:

• The Block the following URLs list. This setting applies to all users who are included in any active Safe Links policies. For more information, see "Block the following URLs" list for Safe Links

You can configure the global Safe Links settings in the Microsoft 365 Defender portal or in PowerShell (Exchange Online PowerShell for eligible Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes, but with Microsoft Defender for Office 365 add-on subscriptions).

What do you need to know before you begin?

• Although there's no default Safe Links policy, the Built-in protection preset security policy provides Safe Links protection to all recipients (users who aren't defined in the Standard or Strict preset security policies or in custom Safe Links policies). For more information, see Preset security policies in EOP and Microsoft Defender for Office 365. You can also create Safe Links policies to apply to specific users, group, or domains. For instructions, see Set up Safe Links policies in Microsoft Defender for Office 365.

• You open the Microsoft 365 Defender portal at https://security.microsoft.com. To go directly to the Safe Links page, use https://security.microsoft.com/safelinksv2.

• To connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell. To connect to standalone EOP PowerShell, see Connect to Exchange Online Protection PowerShell.

• You need to be assigned permissions before you can do the procedures in this article. You have the following options:

  • Microsoft 365 Defender role based access control (RBAC): configuration/security (manage) or configuration/security (read). Currently, this option requires membership in the Microsoft 365 Defender Preview program.
  • Exchange Online RBAC:
    • Configure global settings for Safe Links: Membership in the Organization Management or Security Administrator role groups.
    • Read-only access to global settings for Safe Links: Membership in the Global Reader, Security Reader, or View-Only Organization Management role groups.
  • Azure AD RBAC: Membership in the Global Administrator, Security Administrator, Global Reader, or Security Reader roles gives users the required permissions and permissions for other features in Microsoft 365.

• For our recommended values for the global settings for Safe Links, see Safe Links settings.

• Allow up to 30 minutes for a new or updated policy to be applied.

• New features are continually being added to Microsoft Defender for Office 365. As new features are added, you may need to make adjustments to your existing Safe Links policies.

Configure the "Block the following URLs" list in the Microsoft 365 Defender portal

Note

You can now manage block URL entries in the Tenant Allow/Block List. The "Block the following URLs" list is in the process of being deprecated. We'll attempt to migrate existing entries from the "Block the following URLs" list to block URL entries in the Tenant Allow/Block List. Messages containing the blocked URL will be quarantined.

The Block the following URLs list identifies the links that should always be blocked by Safe Links scanning in supported apps. For more information, see "Block the following URLs" list for Safe Links.

1. In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Email & Collaboration > Policies & Rules > Threat policies > Safe Links in the Policies section. To go directly to the Safe Links page, use https://security.microsoft.com/safelinksv2.

2. On the Safe Links page, click Global settings. In the Safe Links policy for your organization fly out that appears, go to the Block the following URLs box.

3. Configure one or more entries as described in Entry syntax for the "Block the following URLs" list.

   When you're finished, click Save.

Configure the "Block the following URLs" list in PowerShell

For details about the entry syntax, see Entry syntax for the "Block the following URLs" list.

You can use the Get-AtpPolicyForO365 cmdlet to view existing entries in the BlockURLs property.

• To add values that will replace any existing entries, use the following syntax in Exchange Online PowerShell or Exchange Online Protection PowerShell:

  Set-AtpPolicyForO365 -BlockUrls "Entry1","Entry2",..."EntryN"
  

  This example adds the following entries to the list:

  • Block the domain, subdomains, and paths for fabrikam.com.
  • Block the subdomain research, but not the parent domain or other subdomains in tailspintoys.com

  Set-AtpPolicyForO365 -BlockUrls "fabrikam.com","https://research.tailspintoys.com*"
  

• To add or remove values without affecting other existing entries, use the following syntax:

  Set-AtpPolicyForO365 -BlockUrls @{Add="Entry1","Entry2"...; Remove="Entry3","Entry4"...}
  

  This example adds a new entry for adatum.com, and removes the entry for fabrikam.com.

  Set-AtpPolicyForO365 -BlockUrls @{Add="adatum.com"; Remove="fabrikam"}
  

How do you know these procedures worked?

To verify that you've successfully configured the global settings for Safe Links (the Block the following URLs list and the Office 365 app protection settings), do any of the following steps:

• On the Safe Links page in the Microsoft 365 Defender portal at https://security.microsoft.com/safelinksv2, click Global settings, and verify the settings in the fly out that appears.

• In Exchange Online PowerShell or Exchange Online Protection PowerShell, run the following command and verify the settings:

  Get-AtpPolicyForO365 | Format-List BlockUrls
  

  For detailed syntax and parameter information, see Get-AtpPolicyForO365.