Alert policies in the Microsoft Defender portal

Tip

Did you know you can try the features in Microsoft Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms on Try Microsoft Defender for Office 365.

In Microsoft 365 organizations with mailboxes in Exchange Online, alert policies generate alerts in the alert dashboard when users take actions that match the conditions of the policy. There are many default alert policies that help you monitor activities. For example, assigning admin privileges in Exchange Online, malware attacks, phishing campaigns, and unusual levels of file deletions and external sharing.

Tip

Alert policies in the Microsoft Defender portal are identical to alert policies in the Microsoft Purview compliance portal at https://compliance.microsoft.com/alertpolicies.

What do you need to know before you begin?

  • You need to be assigned permissions before you can do the procedures in this article. You have the following options:

    • Microsoft Defender XDR Unified role based access control (RBAC) (If Email & collaboration > Defender for Office 365 permissions is Active. Affects the Defender portal only, not PowerShell):

      • Read only access to the Alert policies page: Security operations / Security data / Security data basics (read).
      • Manage alert policies: Authorization and settings / Security settings / Detection tuning (manage).
    • Email & collaboration permissions in the Microsoft Defender portal:

      • Create and manage alert policies in the Threat management category: Membership in the Organization Management or Security Administrator role groups.
      • View alerts in the Threat management category: Membership in the Security Reader role group.
    • Microsoft Entra permissions: Membership in the Global Administrator*, Security Administrator, or Security Reader roles gives users the required permissions and permissions for other features in Microsoft 365.

      Important

      * Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

  • For information about other alert policy categories, see Permissions required to view alerts.

Open alert policies

In the Microsoft Defender portal at https://security.microsoft.com, go to Email & collaboration > Policies & rules > Alert policy. Or, to go directly to the Alert policy page, use https://security.microsoft.com/alertpoliciesv2.

On the Alert policy page, you can view and create alert policies. For more information, see Alert policies in Microsoft 365