Select Office 365 apps to begin the installation. The 64-bit version is installed by default unless Office detects you already have a 32-bit version of Office (or a stand-alone Office app such as Project or Visio) installed. In this case, the 32-bit version of Office will be installed instead. Shop for microsoft office 365 at Best Buy. Find low everyday prices and buy online for delivery or in-store pick-up.
-->Important
The improved Microsoft 365 security center is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.
Important
Microsoft Defender for Office 365 evaluation is in public preview. This preview version is provided without a service level agreement. Certain features might not be supported or might have constrained capabilities.
Conducting a thorough security product evaluation can help give you informed decisions on upgrades and purchases. It helps to try out the security product's capabilities to assess how it can help your security operations team in their daily tasks.
The Microsoft Defender for Office 365 evaluation experience is designed to eliminate the complexities of device and environment configuration so that you can focus on evaluating the capabilities of Microsoft Defender for Office 365. With evaluation mode, all messages sent to Exchange Online mailboxes can be evaluated without pointing MX records to Microsoft. The feature only applies to email protection and not to Office Clients like Word, SharePoint, or Teams.
If you don't already have a license that supports Microsoft Defender for Office 365, you can start a free 30-day evaluation and test the capabilities in the Office 365 Security & Compliance center (https://protection.office.com/homepage). You'll enjoy the quick set-up and you can easily turn it off if necessary.
Note
If you're in the unified Microsoft 365 security portal (security.microsoft.com) you can start a Defender for Office 365 evaluation here: Email & Collaboration > Policies & Rules > Threat Policies > Additional Policies.
How the evaluation works
Defender for Office 365 in evaluation mode creates Defender for Office 365 email policies that log verdicts, such as malware, but don't act on messages. You are not required to change your MX record configuration.
With evaluation mode, Safe Attachments, Safe Links, and mailbox intelligence based impersonation policies are set up on your behalf. All Defender for Office 365 policies are created in non-enforcement mode in the background and are not visible to you.
As part of the setup, evaluation mode also configures Enhanced Filtering for Connectors. It improves filtering accuracy by preserving IP address and sender information, which are otherwise lost when mail passes through an email security gateway (ESG) in front of Defender for Office 365. Enhanced Filtering for Connectors also improves the filtering accuracy for your existing Exchange Online Protection (EOP) anti-spam and anti-phishing policies.
Enabled Enhanced Filtering for Connectors improves filtering accuracy but may alter deliverability for certain messages if you have an ESG in front of Defender for Office 365, and currently do not bypass EOP filtering. The impact is limited to EOP policies; MDO policies setup as part of the evaluation are created in non-enforcement mode. To minimize potential production impact, you can bypass all EOP filtering by creating a transport rule to set the Spam Confidence Level (SCL) to -1. See Use the EAC to create a mail flow rule that sets the SCL of a message for details.
When the evaluation mode is set up, you will have a report updated daily with up to 90 days of data quantifying the messages that would have been blocked if the policies were implemented (for example, delete, send to junk, quarantine). Reports are generated for all Defender for Office 365 and EOP detections. They are aggregated per detection technology (for example, impersonation) and can be filtered by time range. Additionally, message reports can be created on-demand to create custom pivots or to deep dive messages using Threat Explorer.
With the simplified set-up experience, you can focus on:
- Running the evaluation
- Getting a detailed report
- Analyzing the report for action
- Presenting the evaluation outcome
Before you begin
Licensing
To access the evaluation, you'll need to meet the licensing requirements. Any of the following licenses will work:
- Microsoft Defender for Office 365 Plan 1
- Microsoft Defender for Office 365 Plan 2
- Microsoft 365 E5, Microsoft 365 E5 Security
- Office 365 E5
If you don't have one of those licenses, then you'll need to obtain a trial license.
Trial
To obtain a trial license for Microsoft Defender for Office 365, you need to have the Billing admin role or Global admin role. Request permission from someone that has the Global admin role. Learn about subscriptions and licenses
Once you have the proper role, the recommended path is to obtain a trial license for Microsoft Defender for Office 365 (Plan 2) in the Microsoft 365 admin center by going to Billing > Purchase services. The trial includes a 30-day free trial for 25 licenses. Get a trial for Microsoft Defender for Office 365 (Plan 2).
You'll have a 30-day window with the evaluation to monitor and report on advanced threats. You'll also have the option to buy a paid subscription if you want the full Defender for Office 365 capabilities.
Roles
Exchange Online roles are required to set up Defender for Office 365 in evaluation mode. Assigning a Microsoft 365 compliance or security admin role won't work.
Office 365 Free Download
The following roles are needed:
| Task | Role (in Exchange Online) |
|---|---|
| Get a free trial or buy Microsoft Defender for Office 365 (Plan 2) | Billing admin role OR Global admin role |
| Create evaluation policy | Remote and Accepted Domains role; Security admin role |
| Edit evaluation policy | Remote and Accepted Domains role; Security admin role |
| Delete evaluation policy | Remote and Accepted Domains role; Security admin role |
| View evaluation report | Security admin role OR Security reader role |
Enhanced filtering
Your Exchange Online Protection policies, such as bulk and spam protection, will remain the same. However, the evaluation turns on enhanced filtering for connectors, which may impact your mail flow and Exchange Online Protection policies unless bypassed.
Enhanced filtering for connectors allows tenants to use anti-spoofing protection. Anti-spoofing is not supported if you're using an email security gateway (ESG) without having turned on Enhanced filtering for connectors.
URLs
URLs will be detonated during mail flow. If you don't want specific URLs detonated, manage your list of allowed URLs appropriately. See Manage the Tenant Allow/Block List for details.
URL links in the email message bodies won't wrap, to lessen customer impact.
Email routing
Prepare the corresponding details that you will need to set up how your email is currently routed, including the name of the inbound connector that routes your mail. If you are just using Exchange Online Protection, you won't have a connector. Learn about mail flow and email routing
Supported email routing scenarios include:
- Third-party partner and/or on-premises service provider: The inbound connector that you want to evaluate uses a third-party provider and/or you're using a solution for email security on-premises.
- Microsoft Exchange Online Protection only: The tenant that you want to evaluate uses Office 365 for email security and the Mail Exchange (MX) record points to Microsoft.
Email security gateway
If you're using a third-party email security gateway (ESG), you'll need to know the provider's name. If you're using an ESG on-premises or non-supported vendors, you'll need to know the public IP address(es) for the devices.
Supported third-party partners include:
- Barracuda
- IronPort
- Mimecast
- Proofpoint
- Sophos
- Symantec
- Trend Micro
Scoping
You will be able to scope the evaluation to an inbound connector. If there's no connector configured, then the evaluation scope will allow admins to gather data from any user in your tenant to evaluate Defender for Office 365.
Get started with the evaluation
Find the Microsoft Defender for Office 365 evaluation set-up card in the Office 365 Security & Compliance center (https://protection.office.com/homepage) from three access points:
- Threat management > Dashboard
- Threat management > Policy
- Reports > Dashboard
Setting up the evaluation
Once you start the set-up flow for your evaluation, you'll be given two routing options. Depending on your organization's mail routing setup and evaluation needs, you can select whether you are using a third-party and/or on-premises service provider or only Microsoft Exchange Online.
If you are using a third-party partner and/or on-premises service provider, you'll need to select the name of the vendor from the drop-down menu. Provide the other connector-related details.
Select Microsoft Exchange Online if the MX record points to Microsoft and you have an Exchange Online mailbox.
Office 365 Cheapest Prices
Review your settings and edit them if necessary. Then, select Create evaluation. You should get a confirmation message to indicate that your set-up is complete.
Your Microsoft Defender for Office 365 evaluation report is generated once per day. It may take up to 24 hours for the data to populate.
Exchange rules (optional)
If you have an existing gateway, enabling evaluation mode will activate enhanced filtering for connectors. This improves filtering accuracy by altering the incoming sender IP address. This may change the filter verdicts and if you are not bypassing Exchange Online Protection this may alter deliverability for certain messages. In this case you might want to temporarily bypass filtering to analyze impact. To bypass, navigate to the Exchange admin center and create a policy of SCL -1 (if you don't already have one). For details on the rule components and how they work, see Mail flow rules (transport rules) in Exchange Online.
Evaluate capabilities
After the evaluation report has been generated, see how many advanced threat links, advanced threat attachments, and potential impersonations were identified in the emails and collaboration workspaces in your organization.
Once the trial has expired, you can continue to access the report for 90 days. However, it won't collect any more information. If you want to continue using Microsoft Defender for Office 365 after your trial has expired, make sure you buy a paid subscription for Microsoft Defender for Office 365 (Plan 2).
You can go to Settings to update your routing or turn off your evaluation at any time. However, you need to go through the same set-up process again should you decide to continue your evaluation after having turned it off.
Provide feedback
Your feedback helps us get better at protecting your environment from advanced attacks. Share your experience and impressions of product capabilities and evaluation results.
Select Give feedback to let us know what you think.
-->This article provides instructions for connecting Microsoft Cloud App Security to your existing Office 365 account using the app connector API. This connection gives you visibility into and control over Office 365 use. For information about how Cloud App Security protects Office 365, see Protect Office 365.
Cloud App Security supports the legacy Office 365 Dedicated Platform as well as the latest offerings of Office 365 services (commonly referred as the vNext release family of Office 365). Cloud App Security doesn't support the Legacy Microsoft Business Productivity Online Standard Suite (BPOS).
Note
In some cases, a vNext service release differs slightly at the administrative and management levels from the standard Office 365 offering.
Cloud App Security supports the following Office 365 apps:
- Dynamics 365 CRM
- Exchange (only appears after activities from Exchange are detected in the portal, and requires you to turn on auditing)
- Office
- OneDrive
- Power Automate
- Power BI (only appears after activities from Power BI are detected in the portal, and requires you to turn on auditing)
- SharePoint
- Skype for Business
- Teams (only appears after activities from Teams are detected in the portal)
- Yammer
Note
Cloud App Security integrates directly with Office 365's audit logs and receives all audited events from all supported services, such as PowerApps, Forms, Sway, and Stream.
How to connect Office 365 to Cloud App Security
Office 365 Email
Note
- You must have at least one assigned Office 365 license to connect Office 365 to Cloud App Security.
- To enable monitoring of Office 365 activities in Cloud App Security, you are required to enable auditing in the Office Security and Compliance Center.
- Exchange administrator audit logging, which is enabled by default in Office 365, logs an event in the Office 365 audit log when an administrator (or a user who has been assigned administrative privileges) makes a change in your Exchange Online organization. Changes made using the Exchange admin center or by running a cmdlet in Windows PowerShell are logged in the Exchange admin audit log. For more detailed information about admin audit logging in Exchange, see Administrator audit logging.
- Exchange Mailbox audit logging must be turned on for each user mailbox before user activity in Exchange Online is logged, see Exchange Mailbox activities.
- If Office apps are enabled, groups that are part of Office 365 are also imported to Cloud App Security from the specific Office apps, for example, if SharePoint is enabled, Office 365 groups are imported as SharePoint groups as well.
- You must enable auditing in PowerBI to get the logs from there. Once auditing is enabled, Cloud App Security starts getting the logs (with a delay of 24-72 hours).
- You must enable auditing in Dynamics 365 to get the logs from there. Once auditing is enabled, Cloud App Security starts getting the logs (with a delay of 24-72 hours).
- If your Azure Active Directory is set to automatically sync with the users in your Active Directory on-premises environment the settings in the on-premises environment override the Azure AD settings and use of the Suspend user governance action is reverted.
- For Azure AD sign-in activities, Cloud App Security only surfaces interactive sign-in activities and sign-in activities from legacy protocols such as ActiveSync. Noninteractive sign-in activities may be viewed in the Azure AD audit log.
- Multi-geo deployments are only supported for OneDrive
In the Connected apps page, click the plus button and select Office 365.
In the Office 365 pop-up, click Connect Office 365.
In the Office 365 components page, select the options you require, and then click Connect.
Note
- For best protection, we recommend selecting all Office 365 components.
- The Office 365 files component, requires the Office 365 activities component and Cloud App Security file monitoring (Settings > Files > Enable file monitoring).
After Office 365 is displayed as successfully connected, click Close.
Note
After connecting Office 365, you will see data from a week back including any third-party applications connected to Office 365 that are pulling APIs. For third-party apps that weren't pulling APIs prior to connection, you see events from the moment you connect Office 365 because Cloud App Security turns on any APIs that had been off by default.
If you have any problems connecting the app, see Troubleshooting App Connectors.
Office 365 Login Portal
Next steps
365 Office Free Trial
If you run into any problems, we're here to help. To get assistance or support for your product issue, please open a support ticket.