Skip to content

alert-policies-defender-portal.md

Latest commit

 

History

History
54 lines (43 loc) · 3.77 KB

alert-policies-defender-portal.md

File metadata and controls

54 lines (43 loc) · 3.77 KB
title Alert policies in the Microsoft Defender portal
f1.keywords
NOCSH
author chrisda
ms.author chrisda
manager bagol
audience ITPro
ms.topic how-to
ms.collection
m365-security
tier2
ms.localizationpriority medium
ms.assetid
ms.custom
seo-marvel-apr2020
description Admins can use the Alert policy page in the Microsoft Defender portal to view and create alert policies to trigger alerts when the specified actions occur.
ms.service defender-office-365
search.appverid met150
ms.date 05/29/2025
appliesto
✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
✅ <a href="https://learn.microsoft.com/defender-xdr/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a>

Alert policies in the Microsoft Defender portal

[!INCLUDE MDO Trial banner]

In organizations with cloud mailboxes, alert policies generate alerts in the alert dashboard when users take actions that match the conditions of the policy. There are many default alert policies that help you monitor activities. For example, assigning admin privileges in Exchange Online, malware attacks, phishing campaigns, and unusual levels of file deletions and external sharing.

What do you need to know before you begin?

  • You need to be assigned permissions before you can do the procedures in this article. You have the following options:

    • Microsoft Defender XDR Unified role based access control (RBAC) (If Email & collaboration > Defender for Office 365 permissions is :::image type="icon" source="media/scc-toggle-on.png" border="false"::: Active. Affects the Defender portal only, not PowerShell):

      • Read only access to the Alert policies page: Security operations / Security data / Security data basics (read).
      • Manage alert policies: Authorization and settings / Security settings / Detection tuning (manage).

    • Email & collaboration permissions in the Microsoft Defender portal:

      • Create and manage alert policies in the Threat management category: Membership in the Organization Management or Security Administrator role groups.
      • View alerts in the Threat management category: Membership in the Security Reader role group.

    • Microsoft Entra permissions: Membership in the Global Administrator*, Security Administrator, or Security Reader roles gives users the required permissions and permissions for other features in Microsoft 365.

      [!IMPORTANT] * Microsoft strongly advocates for the principle of least privilege. Assigning accounts only the minimum permissions necessary to perform their tasks helps reduce security risks and strengthens your organization's overall protection. Global Administrator is a highly privileged role that you should limit to emergency scenarios or when you can't use a different role.

  • For information about other alert policy categories, see Permissions required to view alerts.

[!INCLUDE Built-in alert tuning rules]

Open alert policies

In the Microsoft Defender portal at https://security.microsoft.com, go to Email & collaboration > Policies & rules > Alert policy. Or, to go directly to the Alert policy page, use https://security.microsoft.com/alertpoliciesv2.

On the Alert policy page, you can view and create alert policies. For more information, see Alert policies in Microsoft 365