Admin review for user reported messages

Tip

Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub. Learn about who can sign up and trial terms here.

Applies to

• Exchange Online Protection
• Microsoft Defender for Office 365 plan 1 and plan 2
• Microsoft 365 Defender

In Microsoft 365 organizations with Exchange Online mailboxes and Microsoft Defender for Office 365, admins can send templated result messages back to users after they review the user reported messages. Admins can customize the notification message template that's used for the organization.

The feature is designed to give feedback to users without changing the message verdicts in the system. To help Microsoft update and improve its filters, admins need to submit user reported messages to Microsoft for analysis when the user reported settings are configured to send user reported messages to the reporting mailbox only. For more information, see User reported settings.

Admins can mark messages and notify users of review results only if the user reported the message as a false positive or a false negative.

What do you need to know before you begin?

• You open the Microsoft 365 Defender portal at https://security.microsoft.com. To go directly to the Submissions page, use https://security.microsoft.com/reportsubmission. To go directly to the User reported page, use https://security.microsoft.com/securitysettings/userSubmission.

• You need to be assigned permissions before you can do the procedures in this article. You have the following options:

  • Email & collaboration RBAC in the Microsoft 365 Defender portal: Membership in the Organization Management or Security Administrator role groups.
  • Exchange Online RBAC: Membership in the Organization Management role group.
  • Azure AD RBAC: Membership in the Global Administrator or Security Administrator roles gives users the required permissions and permissions for other features in Microsoft 365.

• You need access to Exchange Online PowerShell. If your account doesn't have access to Exchange Online PowerShell, you get the following error: Specify an email address in your domain. For more information about enabling or disabling access to Exchange Online PowerShell, see the following articles:

  • Enable or disable access to Exchange Online PowerShell
  • Client Access Rules in Exchange Online (until October 2023)

Notify users from within the portal

1. In the Microsoft 365 Defender portal at https://security.microsoft.com, go to the Submissions page at Email & collaboration > Submissions. Or, to go directly to the Submissions tab, use https://security.microsoft.com/reportsubmission.

2. On the Submissions page, select the User reported tab.

3. On the User reported tab, select the user reported message by using either of the following methods:

   • Select the message from the list by selecting the check box next to the first column, and then select Mark as and notify.
   • Select the message from the list by clicking anywhere in the row other than the check box. In the details flyout that opens, select Mark as and notify or More options > Mark as and notify.

4. In the Mark as and notify dropdown list, select one of the following values:

   • No threats found
   • Phishing
   • Spam

   

The reported message is marked as No threats found, Phishing, or Spam, and an email is automatically sent to notify the user who reported the message.

To customize the notification email, see the next section.

Customize the messages used to notify users

1. In the Microsoft 365 Defender portal at https://security.microsoft.com, go to the User reported page at Settings > Email & collaboration > User reported tab. Or, to go directly to the User reported page, use https://security.microsoft.com/securitysettings/userSubmission.

2. On the User reported page, verify that the toggle at the top of the page is On.

3. Find the Email sent to user after admin review section and configure one or more of the following settings:

   • Specify an Office 365 mailbox to send email notifications from: Select this option and enter the sender's email address in the box that appears.

   • Replace the Microsoft logo with my company logo: Select this option to replace the default Microsoft logo that's used in notifications. Before you do this step, you need to follow the instructions in Customize the Microsoft 365 theme for your organization to upload your custom logo.

   • Customize email notification messages: Select this link to customize the email notification that's sent after an admin reviews and marks a reported message. In the Customize admin review email notifications flyout that appears, configure the following settings on the Phishing, Junk and No threats found tabs:

     • Email box results text: Enter the custom text to use.
       • Footer tab: The following options are available:
       • Email footer text: Enter the custom message footer text to use.

     When you're finished on the Customize admin review email notifications flyout, select Confirm.

   

4. When you're finished on the User reported page, select Save. To clear these values, select Restore on the User reported page.