Merge pull request #3520 from MicrosoftDocs/chrisda

chrisda · web-flow · commit ff1ff06da941 · 2025-04-18T10:27:01.000-07:00
Update try-microsoft-defender-for-office-365.md
diff --git a/defender-office-365/try-microsoft-defender-for-office-365.md b/defender-office-365/try-microsoft-defender-for-office-365.md
@@ -18,7 +18,7 @@ ms.collection:
 ms.custom: 
 ms.service: defender-office-365
 ROBOTS:
-ms.date: 01/29/2025
+ms.date: 04/18/2025
 ---
 
 # Try Microsoft Defender for Office 365
@@ -27,7 +27,7 @@ As an existing Microsoft 365 customer, the **Trials** and **Evaluation** pages i
 
 Before you try Defender for Office 365 Plan 2, there are some key questions that you need to ask yourself:
 
-- Do I want to passively observe what Defender for Office 365 Plan 2 can do for me (*audit*), or do I want Defender for Office 365 Plan 2 to take direct action on issues that it finds (*block*)?
+- Do I want to passively observe what Defender for Office 365 Plan 2 can do for me (_audit_), or do I want Defender for Office 365 Plan 2 to take direct action on issues that it finds (_block_)?
 - Either way, how can I tell what Defender for Office 365 Plan 2 is doing for me?
 - How long do I have before I need to make the decision to keep Defender for Office 365 Plan 2?
 
@@ -78,7 +78,13 @@ The default policies for these EOP features are always on, apply to all recipien
 
 Do you want your Defender for Office 365 experience to be active or passive? The following modes are available:
 
-- **Audit mode**: Special _evaluation policies_ are created for anti-phishing (which includes impersonation protection), Safe Attachments, and Safe Links. These evaluation policies are configured to _detect_ threats only. Defender for Office 365 detects harmful messages for reporting, but the messages aren't acted upon (for example, detected messages aren't quarantined). The settings of these evaluation policies are described in the [Policies in audit mode](#policies-in-audit-mode) section later in this article. We also automatically turn on SafeLinks time of click protection in audit mode for non-email workloads (for example, Microsoft Teams, SharePoint, and OneDrive for Business)
+- **Audit mode**: Special _evaluation policies_ are created for anti-phishing (which includes impersonation protection), Safe Attachments, and Safe Links. These evaluation policies are configured to _detect_ threats only. Defender for Office 365 detects harmful messages for reporting, but the messages aren't acted upon (for example, detected messages aren't quarantined). The settings of these evaluation policies are described in the [Policies in audit mode](#policies-in-audit-mode) section later in this article.
+
+  > [!NOTE]
+  > The following protection features are **on by default** and can **take action** on items, even in audit mode:
+  >
+  > - Safe Links time of click protection in non-email workloads (for example, Microsoft Teams, SharePoint, and OneDrive).
+  > - [Zero-hour auto purge (ZAP) in Microsoft Teams](zero-hour-auto-purge.md#zero-hour-auto-purge-zap-in-microsoft-teams).
 
   You can also selectively turn on or turn off anti-phishing protection (spoofing and impersonation), Safe Links protection, and Safe Attachments protection. For instructions, see [Manage evaluation settings](#manage-evaluation-settings).
 
@@ -99,7 +105,7 @@ The key factors that determine which modes are available to you are:
 
     :::image type="content" source="media/mdo-trial-mail-flow.png" alt-text="Mail flows from the internet into Microsoft 365, with protection from EOP and/or Defender for Office 365 Plan 1." lightbox="media/mdo-trial-mail-flow.png":::
 
-    In these environments, **audit mode** or **blocking mode** are available, depending on your licensing as explained in the next section
+    In these environments, **audit mode** or **blocking mode** are available, depending on your licensing as explained in the next section.
 
   - You're currently using a third-party service or device for email protection of your Microsoft 365 mailboxes. Mail from the internet flows through the protection service before delivery into your Microsoft 365 organization. Microsoft 365 protection is as low as possible (it's never completely off; for example, malware protection is always enforced).
 
@@ -476,7 +482,7 @@ A: See [Order of precedence for preset security policies and other policies](pre
 To see these policies and their settings, run the following command in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell):
 
 ```powershell
-Write-Output -InputObject ("`r`n"*3),"Evaluation anti-phishing policy",("-"*79);Get-AntiPhishPolicy | Where-Object -Property RecommendedPolicyType -eq -Value "Evaluation"; Write-Output -InputObject ("`r`n"*3),"Evaluation Safe Attachments policy",("-"*79);Get-SafeAttachmentPolicy | Where-Object -Property RecommendedPolicyType -eq -Value "Evaluation"; Write-Output -InputObject ("`r`n"*3),"Evaluation Safe Links policy",("-"*79);Get-SafeLinksPolicy | Where-Object -Property RecommendedPolicyType -eq -Value "Evaluation"
+Write-Output -InputObject ("`r`n"*3),"Evaluation anti-phishing policy",("-"*79); Get-AntiPhishPolicy | Where-Object -Property RecommendedPolicyType -eq -Value "Evaluation"; Write-Output -InputObject ("`r`n"*3),"Evaluation Safe Attachments policy",("-"*79); Get-SafeAttachmentPolicy | Where-Object -Property RecommendedPolicyType -eq -Value "Evaluation"; Write-Output -InputObject ("`r`n"*3),"Evaluation Safe Links policy",("-"*79);Get-SafeLinksPolicy | Where-Object -Property RecommendedPolicyType -eq -Value "Evaluation"
 ```
 
 The settings are also described in the following tables.
