You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: ATPDocs/remediation-actions.md
+18-22Lines changed: 18 additions & 22 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -35,34 +35,30 @@ To perform any of the [supported actions](#supported-actions), you need to:
35
35
36
36
The following Defender for Identity actions can be performed on Identities:
37
37
38
-
-**Disable user in Active Directory** - This temporarily prevents a user from signing in to the on-premises network. This can help prevent compromised users from moving laterally and attempting to exfiltrate data or further compromise the network.
|Disable user | This temporarily prevents a user from signing in. This can help prevent compromised users from moving laterally and attempting to exfiltrate data or further compromise the network. | Active Directory, Entra ID and Okta
41
+
|Enable user | Enable a user to sign in. | Active Directory, Entra ID and Okta
42
+
|Revoke all Users' sessions | Revoke a user's active sessions. | Entra ID and Okta
43
+
|Confirm user compromised | The user's risk level is set to High | Entra ID
44
+
| Reset user password| This prompts the user to change their password on the next logon, ensuring that this account can't be used for further impersonation attempts| Active Directory
45
+
|Deactivate user in Okta | This action can be used when a non-legit malicious account was detected, to deactivate the account permanently | Okta
46
+
| Set user risk to High/Medium/Low |Set one user risk scoring to one of the defined levels. This action will only be available if [Risk Scoring](https://help.okta.com/en-us/Content/Topics/Security/Security_Risk_Scoring.htm) feature is enabled | Okta
39
47
40
-
-**Reset user password** - This prompts the user to change their password on the next logon, ensuring that this account can't be used for further impersonation attempts.
41
-
42
-
-**Mark User Compromised** - The user's risk level is set to High.
43
-
44
-
-**Suspend User in Entra ID** - Block new sign-ins and access to cloud resources.
45
-
46
-
-**Require User to Sign In Again** - Revoke a user's active sessions.
47
-
48
-
-**Suspend User in Okta** - Temporarily disables a user account. This action can be used when a legit user account was found to be compromised and needed to be disabled.
49
-
50
-
-**Deactivate User in Okta** - This action can be used when a non-legit malicious account was detected, to deactivate the account permanently.
51
48
52
49
Depending on your Microsoft Entra ID roles, you might see additional Microsoft Entra ID actions, such as requiring users to sign in again and confirming a user as compromised. For more information, see [Remediate risks and unblock users](/entra/id-protection/howto-identity-protection-remediate-unblock).
|Mark User Compromised | - Global Administrator <br> - Security Administrator|
59
-
|Suspend User in Entra ID | - Global Administrator |
60
-
|Require User to Sign In Again | - Global Administrator <br>|
61
-
| Disable/Enable User in Active Directory | Refer to [Required permissions Defender for Identity in Microsoft Defender XDR](/defender-for-identity/role-groups#required-permissions-defender-for-identity-in-microsoft-defender-xdr)|
62
-
| Force Password Reset in Active Directory | Refer to [Required permissions Defender for Identity in Microsoft Defender XDR](/defender-for-identity/role-groups#required-permissions-defender-for-identity-in-microsoft-defender-xdr)|
63
-
| Suspend User in Okta | A custom role defined with permissions for Response (manage) Or One of the following Microsoft Entra roles: <br> - Security Operator <br> - Security Administrator <br> - Global Administrator|
64
-
| Deactivate User in Okta | A custom role defined with permissions for Response (manage) Or One of the following Microsoft Entra roles: <br> - Security Operator <br> - Security Administrator <br> - Global Administrator|
65
-
53
+
| Remediation Action | Active Directory |Entra ID | Okta |
54
+
|--|--|--|--|
55
+
| Disable user | Refer to [Required permissions Defender for Identity in Microsoft Defender XDR](/defender-for-identity/role-groups#required-permissions-defender-for-identity-in-microsoft-defender-xdr)| Global Administrator | A custom role defined with permissions for Response (manage) or one of the following Microsoft Entra roles: <br> - Security Operator <br> - Security Administrator <br> - Global Administrator |
56
+
| Enable user | Refer to [Required permissions Defender for Identity in Microsoft Defender XDR](/defender-for-identity/role-groups#required-permissions-defender-for-identity-in-microsoft-defender-xdr)| Global Administrator | A custom role defined with permissions for Response (manage) or one of the following Microsoft Entra roles: <br> - Security Operator <br> - Security Administrator <br> - Global Administrator |
57
+
| Revoke all Users' sessions |N\A | Global Administrator | A custom role defined with permissions for Response (manage) or one of the following Microsoft Entra roles: <br> - Security Operator <br> - Security Administrator <br> - Global Administrator |
58
+
| Confirm user compromised |N\A | - Global Administrator <br> -Security Administrator | N/A|
59
+
| Reset user password | Refer to [Required permissions Defender for Identity in Microsoft Defender XDR](/defender-for-identity/role-groups#required-permissions-defender-for-identity-in-microsoft-defender-xdr) | N\A | N\A
60
+
| Deactivate user in Okta | N\A | N\A | A custom role defined with permissions for Response (manage) or one of the following Microsoft Entra roles: <br> - Security Operator <br> - Security Administrator <br> - Global Administrator
61
+
| Set User risk to High/Medium/Low | N\A | N\A | A custom role defined with permissions for Response (manage) or One of the following Microsoft Entra roles: <br> - Security Operator <br> - Security Administrator <br> - Global Administrator
Copy file name to clipboardExpand all lines: defender-office-365/mdo-support-teams-quick-configure.md
+6-6Lines changed: 6 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -16,14 +16,14 @@ ms.collection:
16
16
- tier1
17
17
description: Admins who aren't using Microsoft Defender for Office 365 can learn how to quickly set up protection in Microsoft Teams.
18
18
ms.service: defender-office-365
19
-
ms.date: 04/15/2025
19
+
ms.date: 08/21/2025
20
20
appliesto:
21
-
- ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 2</a>
21
+
- ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
22
22
---
23
23
24
-
# Quickly configure Microsoft Teams protection in Microsoft Defender for Office 365 Plan 2
24
+
# Quickly configure Microsoft Teams protection in Microsoft Defender for Office 365
25
25
26
-
Even if you aren't using Microsoft Defender for Office 365 Plan 2 for email protection, you can still use it for Microsoft Teams protection.
26
+
Even if you aren't using Microsoft Defender for Office 365 for email protection, you can still use it for Microsoft Teams protection.
27
27
28
28
This article contains the quick steps to turn on and configure Defender for Office 365 protection for Microsoft Teams.
29
29
@@ -77,7 +77,7 @@ For complete instructions, see [Use the Microsoft Defender portal to modify cust
77
77
> [!TIP]
78
78
> Teams integration is on in the [Built-in protection preset security policy](preset-security-policies.md), but any other Safe Links policies [take precedence](preset-security-policies.md#order-of-precedence-for-preset-security-policies-and-other-threat-policies) over the Built-in protection preset security policy (as shown in the order they're listed on the **Safe Links** page).
79
79
80
-
## Step 3: Verify Zero-hour auto purge (ZAP) for Microsoft Teams
80
+
## Step 3: Defender for Office 365 Plan 2: Verify Zero-hour auto purge (ZAP) for Microsoft Teams
81
81
82
82
For complete instructions, see [Configure ZAP for Teams protection in Defender for Office 365 Plan 2](mdo-support-teams-about.md#configure-zap-for-teams-protection-in-defender-for-office-365-plan-2).
83
83
@@ -90,7 +90,7 @@ For complete instructions, see [Configure ZAP for Teams protection in Defender f
90
90
> [!TIP]
91
91
> When ZAP for Microsoft Teams is turned on, you can use **Exclude these participants** on the **Microsoft Teams protection** page to exclude users from Teams protection. For more information, see [Configure ZAP for Teams protection in Defender for Office 365 Plan 2](mdo-support-teams-about.md#configure-zap-for-teams-protection-in-defender-for-office-365-plan-2).
92
92
93
-
## Step 4: Configure user reported settings for Microsoft Teams
93
+
## Step 4: Defender for Office 365 Plan 2: Configure user reported settings for Microsoft Teams
94
94
95
95
For complete instructions, see [User reported message settings in Microsoft Teams](submissions-teams.md).
In organizations with Microsoft Defender for Office 365 Plan 2 or Microsoft Defender XDR, admins can decide whether users can report malicious messages in Microsoft Teams. Admins can also get visibility into the Teams messages that users are reporting.
30
30
31
-
Users can report messages in Teams from chats, standardand private channels, and meeting conversations. Users can only report messages as malicious.
31
+
Users can report messages in Teams from chats, standard, private and shared channels, and meeting conversations. Users can only report messages as malicious.
32
32
33
33
> [!NOTE]
34
34
> User reporting of messages in Teams is not supported in U.S. Government organizations (Microsoft 365 GCC, GCC High, and DoD).
@@ -104,14 +104,15 @@ For more information about user reported message settings in the Defender portal
104
104
105
105
What happens to a user reported Teams message depends on the settings in the **Reported message destinations** section on the **User reported settings** page at <https://security.microsoft.com/securitysettings/userSubmission>:
106
106
107
-
-**Send the reported messages to**\>**Microsoft and my reporting mailbox**: For Microsoft 365 organizations created after March 1 2023, this value is the default. The default user reporting mailbox is the Exchange Online mailbox of the global admin. The value for older Microsoft 365 organizations is unchanged.
107
+
-**Send the reported messages to**\>**Microsoft and my reporting mailbox**: The default user reporting mailbox is the Exchange Online mailbox of the global admin. The value for older Microsoft 365 organizations is unchanged.
108
108
-**Send the reported messages to**\>**Microsoft only**
109
109
-**Send the reported messages to**\>**My reporting mailbox only**
110
110
111
111
For more information, see [User reported settings](submissions-user-reported-messages-custom-mailbox.md).
112
112
113
113
**Notes**:
114
114
115
+
- For shared channel user reports, the report goes to the organization that owns/created the channel.
115
116
- If you select **Send the reported messages to**\>**My reporting mailbox only**, reported messages don't go to Microsoft for analysis unless an admin manually submits the message from the **User reported** tab on the **Submissions** page at <https://security.microsoft.com/reportsubmission?viewid=user>. Reporting messages to Microsoft is an important part of training the service to help improve the accuracy of filtering (reduce false positives and false negatives). That's why we use **Send the reported messages to**\>**Microsoft and my reporting mailbox** as the default.
116
117
- Regardless of the **Send the reported messages to** setting, the following actions occur when a user reports a Teams message:
117
118
- Metadata from the reported Teams message (for example, senders, recipients, reported by, and message details) is available on the **User reported** tab on the **Submissions** page.
| Set up, pause, remove or the agent |**Security Administrator** in Microsoft Entra ID |
59
-
| View and manage agent settings and activity |**Security Copilot (read)** and **Security data basics (read)** under the **Security operations** permissions group in the Defender portal |
57
+
| Set up, pause, or remove the agent, and manage agent identity|**Security Administrator** in Microsoft Entra ID |
58
+
| View and manage agent settings |**Security Copilot (read)** and **Security data basics (read)** under the **Security operations** permissions group in the Defender portal |
60
59
| View and manage feedback |**Security Copilot (read)**, **Security data basics (read)**, and **Email & collaboration metadata (read)** under the **Security operations** permissions group in the Defender portal|
61
60
|Reject feedback|**Security Administrator** in Microsoft Entra ID|
61
+
| View agent results |**Security Copilot (read)**, **Security data basics (read)**, **Alerts (manage)**, **Email & collaboration metadata (read)**, and **Email & collaboration content (read)** under the **Security operations** permissions group in the Defender portal|
62
62
63
63
For more information about unified RBAC in the Defender portal, see [Microsoft Defender XDR Unified role-based access control (RBAC)](/defender-xdr/manage-rbac).
0 commit comments