Microsoft Defender for Cloud Apps: Check which policy applied at event

Hello Ms. M, thanks for coming into forums. I'm also a user like you and I'll be more than happy to help you to the best of my knowledge.

Yes, you can check which policy was applied to a user in Microsoft Defender for Cloud Apps by reviewing the audit logs.

To access the audit logs, follow these steps:

-Go to the Microsoft 365 security center.
-Click on the "Threat management" section, and then click on "Audit log search".
-In the "Audit log search" page, you can select "Cloud App Security" as the source and then specify the date range and user account to search for events related to Defender for Cloud Apps.
-Once the events are displayed, you can look for events related to "File upload blocked" or "Policy applied". These events will include information on which policy was triggered and applied.

You can also filter the events by policy name to quickly find the specific policy that was triggered.

Hope this info helps. Feel free to let us know.

Warm Regards,
Myk

Hi John

After I've applied all of the updates for Office 2016 for Mac, this error no longer occurs.
It was a bit complicated to find the update in the app (Reg Help, check for updates)

But now everything works fine. Thanks for the support.

Best regards Martin

Hi,
Happy new year and Thanks for reply and information.
What I am trying to do is deactivating Microsoft 365 defender for some email addresses(10-15 emails). Because I have to test the performance of another anti spam tool. Currently 365 defender works for all email addresses and it does not allow me to check other one.
Thank you

Hello,

Greetings for the day!
I’m an Independent Advisor and Microsoft user like you. Thanks for posting the query here at this forum.

Are you using the Microsoft Defender in Office 365 for any on-premises or cloud mailboxes ?

The following are the primary ways you can use Defender for Office 365 for message protection:

1. In a Defender for Office 365 filtering-only scenario, Defender for Office 365 provides cloud-based email protection for your on-premises Exchange Server environment or any other on-premises SMTP email solution.

2. Defender for Office 365 can be enabled to protect Exchange Online cloud-hosted mailboxes.

3. In a hybrid deployment, Defender for Office 365 can be configured to protect your messaging environment and control mail routing when you have a mix of on-premises and cloud mailboxes with Exchange Online Protection for inbound email filtering.

Please find the details below.
https://learn.microsoft.com/en-us/o...dvanced-threat-protection-service-description

Incase if you want to exclude any particular program in Windows device from Microsoft defender,

1. Select Start , then open Settings . Under Privacy & security , select Virus & threat protection.

2. Under Virus & threat protection settings, select Manage settings, and then under Exclusions, select Add or remove exclusions.

3. Select Add an exclusion, and then select from files, folders, file types, or process. A folder exclusion will apply to all subfolders within the folder as well.
https://support.microsoft.com/windows/811816c0-4dfd-af4a-47e4-c301afe13b26

Hope this information helps. Please feel free to get back if you have any questions.

Thank you!
Ravikumar
Help the next person who has this issue by indicating if this reply solved your problem. Click Yes or No below.

Hallo Peter Ess,



Bedanke mich für die Erläuterung



Was mit den Elementen nach dem 365 Tag passiert hängt von der Aufbewahrungsrichtlinie ab.



What happens when the hold duration expires?



When the hold duration expires for a mailbox item in the Recoverable Items folder, the item is permanently deleted (purged) from the inactive mailbox. If there is no duration specified for the hold placed on the inactive mailbox, items in the Recoverable
Items folder are never purged (unless the hold duration for the inactive mailbox is changed).



Is retention policy still processed on inactive mailboxes?



If a retention policy was applied to a mailbox when it was made inactive, the deletion policies (which are retention tags configured with a Delete retention action) will continue to be processed on the inactive mailbox. That means items that are tagged with
a deletion policy are moved to the Recoverable Items folder when the retention period expires. Those items are then purged from the inactive mailbox when the hold duration for an item expires.



Conversely, any archive policies (which are retention tags configured with a MoveToArchive retention action) that are included in the retention policy assigned to an inactive mailbox are ignored. That means items in an inactive mailbox that are tagged with
an archive policy remain in the primary mailbox when the retention period expires. They're not moved to the archive mailbox or to the Recoverable Items folder in the archive mailbox. Because a user can't sign in to an inactive mailbox, there's no reason to
consume datacenter resources to process archive policies.



Quelle:
Change the hold duration for an inactive mailbox in Exchange Online



Für weitere Fragen stehe ich gerne zur Verfügung.



Mit freundlichen Grüßen,



Desislava Dimova



Microsoft Office 365 Support Engineer