Turn on Office 365 ATP for SharePoint, OneDrive, and Microsoft Teams

Office 365 ATP for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files. When a malicious file is detected, that file is blocked so that no one can open, copy, move, or share it until further actions are taken by the organization's security team. Read this article to turn on ATP for SharePoint, OneDrive, and Teams, set up alerts to be notified about detected files, and take your next steps.

Tip: In order to perform the tasks described in this article, you must have the necessary permissions assigned in the Office 365 Security & Compliance Center.

In this article

Turn on ATP for SharePoint, OneDrive, and Microsoft Teams

Before you begin this procedure, make sure that audit logging is already turned on for your Office 365 environment. This is typically done by someone who has the Audit Logs role assigned in Exchange Online. For more information, see Turn Office 365 audit log search on or off.

  1. As a global administrator or security administrator, go to https://protection.office.com, and sign in with your work or school account.

  2. In the Office 365 Security & Compliance Center, in the left navigation pane, under Threat management, choose PolicySafe Attachments.

    In the Security & Compliance Center, choose Threat management > Policy

  3. Select Turn on ATP for SharePoint, OneDrive, and Microsoft Teams.

    Turn on Advanced Threat Protection for SharePoint Online, OneDrive for Business, and Microsoft Teams

  4. Click Save.

  5. Review (and, as appropriate, edit) your organization's Safe Attachments policies and Safe Links policies.

  6. (Recommended) As a global administrator or a SharePoint Online administrator, run the Set-SPOTenant cmdlet with the DisallowInfectedFileDownload parameter set to true. The following table describes how this parameter affects what people see when they click a file that has been detected as malicious:

    If the Set-SPOTenant cmdlet has the DisallowInfectedFileDownload parameter set to:

    true (recommended), this happens:

    false, this happens:

    • All actions, except Delete, are blocked for detected files.

    • People cannot open, move, copy, or share detected files. 

    • People see a visual cue that indicates that a file has been identified as malicious. No one can download the file.

    • All actions, except Delete and Download, are blocked for detected files.

    • People cannot open, move, copy, or share detected files.

    • People see a visual cue that indicates a file has been identified as malicious, but they can choose to accept the risk and download the file anyway.

  7. Allow up to 30 minutes for your changes to spread to all Office 365 datacenters.

  8. (Recommended) Proceed to set up alerts for detected files.

Tips: 

Set up alerts for detected files

To receive notification when a file in SharePoint Online, OneDrive for Business, or Microsoft Teams has been identified as malicious, you can set up an alert.

  1. In the Office 365 Security & Compliance Center, choose Alerts > Manage alerts.

  2. Choose New alert policy.

  3. Specify a name for the alert. For example, you could type Malicious Files in Libraries.

  4. Type a description for the alert. For example, you could type Notifies admins when malicious files are detected in SharePoint Online, OneDrive, or Microsoft Teams.

  5. In the Send this alert when... section, do the following:

    • In the Activities list, choose Detected malware in file.

    • Leave the Users field empty.

  6. In the Send this alert to... section, select one or more global administrators, security administrators, or security readers who should receive notification when a malicious file is detected.

  7. Click Save.

Next steps

Related topics

Office 365 Advanced Threat Protection
View the reports for Office 365 Advanced Threat Protection
Permissions in the Office 365 Security & Compliance Center

Expand your Office skills
Explore training
Get new features first
Join Office Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×