Office 365 ATP for SharePoint, OneDrive, and Microsoft Teams

Office 365 Advanced Threat Protection (ATP) includes safe links, safe attachments, spoof intelligence, and advanced anti-phishing capabilities. Beginning in late November 2017 and over the next several weeks, Advanced Threat Protection is being extended to files in SharePoint Online, OneDrive for Business, and Microsoft Teams. This enables your organization to collaborate more securely.

Note: Advanced Threat Protection for SharePoint, OneDrive, and Microsoft Teams is not available on-premises. Advanced Threat Protection is included in Office 365 Enterprise E5. If your organization is using another Office 365 Enterprise subscription, Advanced Threat Protection can be purchased as an add-on. (As a global admin, in the Office 365 admin center, choose Billing > Add subscriptions.) For more information about plan options, see Compare All Office 365 for Business Plans.

What do you want to do?

You must be a global administrator or security administrator Office 365 to perform the tasks described in this article. Make sure that you are a member of either the Hygiene Management or Organization Management role group. For more information, see Feature permissions in Exchange Online Protection (EOP) on TechNet.

Get an overview of how it works

People regularly share files and collaborate using SharePoint Online, OneDrive for Business, and Microsoft Teams. ATP can help your organization collaborate in a safer manner by preventing people from opening or downloading malicious files.

When a file in SharePoint Online, OneDrive for Business, or Microsoft Teams has been identified as malicious, ATP directly integrates with the file stores to lock that file.

When a malicious file is detected, ATP locks the file in SharePoint Online, OneDrive for Business, or Microsoft Teams
Example of a malicious file detected in a library. (This new experience is rolling out for SharePoint Online and OneDrive for Business in late December 2017.)

Although the file is still listed in the document library and web, mobile, or desktop applications, the file cannot be downloaded or opened. This helps prevent inadvertent sharing of malicious content, and it helps ensure that the files people in your organization are working on together are safe.

A few important points...

  • Advanced Threat Protection for SharePoint Online, OneDrive for Business, and Microsoft Teams will not scan every single file in SharePoint Online, OneDrive for Business, or Microsoft Teams. This is by design. Files are scanned asynchronously, through a process that uses sharing and guest activity events along with smart heuristics and threat signals to identify malicious files.

  • When a file has been identified as malicious, people will see that the file exists in its location in SharePoint Online, OneDrive for Business, or Microsoft Teams. Details, such as filenames and markers indicating files have been identified as malicious will appear, but no one will be able to open or download the malicious files.

  • Files that are identified as malicious in SharePoint Online, OneDrive for Business, or Microsoft Teams will show up in reports for Office 365 Advanced Threat Protection and in Threat Explorer (part of Office 365 Threat Intelligence).

  • Advanced Threat Protection is part of your organization's overall threat protection strategy, which includes anti-spam and anti-malware protection, as well as safe links and safe attachments. To learn more, see Protect against threats in Office 365.

Turn on Office 365 Advanced Threat Protection for SharePoint Online, OneDrive for Business, and Microsoft Teams

Before you begin this procedure, make sure that audit logging is already turned on for your Office 365 environment. This is typically done by someone who has the Audit Logs role assigned in Exchange Online. For more information, see Turn Office 365 audit log search on or off.

  1. As a global administrator or security administrator, go to https://protection.office.com, and sign in with your work or school account.

  2. In the Office 365 Security & Compliance Center, in the left navigation pane, under Threat management, choose PolicySafe attachments.

    In the Security & Compliance Center, choose Threat management > Policy

  3. Select Turn on ATP for SharePoint, OneDrive, and Microsoft Teams.

    Turn on Advanced Threat Protection for SharePoint Online, OneDrive for Business, and Microsoft Teams

  4. Click Save.

    Allow up to 30 minutes for this functionality to spread to all Office 365 datacenters.

View information about detected files

To view status and detailed information about files that were detected by Advanced Threat Protection, you can use the Threat protection status report.

  1. In the Office 365 Security & Compliance Center, choose Threat management > Review > Protection status.

    In the Security & Compliance Center, choose Threat management > Review

  2. In the View data by list, choose Content.

    In the Threat Protection Status report, you can view data for email or content

  3. In the Report graph list, choose Details table.

    In the Threat Protection Status report, you can view data in a graph or table

  4. View the list of files that were detected in the report.

    Use the Threat Protection Status report to view details about malicious files that were detected

  5. Select an item in the list to view detailed information, including actions taken, the file name, and file path.

    Select an item in the Threat Protection Status report to view more details.

Set up alerts

To receive notification when a file in SharePoint Online, OneDrive for Business, or Microsoft Teams has been identified as malicious, you can set up an alert.

  1. In the Office 365 Security & Compliance Center, choose Alerts > Manage alerts.

  2. Choose New alert policy.

  3. Specify a name for the alert. For example, you could type Malicious Files in Libraries.

  4. Type a description for the alert. For example, you could type Notifies admins when malicious files are detected in SharePoint Online, OneDrive for Business, or Microsoft Teams.

  5. In the Send this alert when... section, do the following:

    • In the Activities list, choose Detected malware in file.

    • Leave the Users field empty.

  6. In the Send this alert to... section, select one or more global administrators, security administrators, or security analysts who should receive notification when a malicious file is detected.

  7. Click Save.

Related topics

Office 365 Advanced Threat Protection
Office 365 ATP safe attachments overview
Office 365 ATP safe links overview
View the reports for Office 365 Advanced Threat Protection

Expand your skills
Explore training
Get new features first
Join Office Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×