Create anomaly detection policies in Office 365 Cloud App Security

Office 365 Advanced Security Management is now Office 365 Cloud App Security.

Evaluation    >

Planning    >

Deployment    >


Start evaluating

Start planning

You are here!

Next steps

Start utilizing

Create a new anomaly detection policy

  1. As a global administrator or security administrator, go to and sign in using your work or school account.

  2. In the Security & Compliance Center, choose Alerts > Manage advanced alerts.

  3. Choose Go to Office 365 Cloud App Security.

    This takes you to the Office 365 Cloud App Security Policies page.

    When you go to the Office 365 Cloud App Security portal, you start with the Policies page

  4. Click Create policy, and then select Anomaly detection policy.

    When you create a policy in O365 CAS, you can choose between Activity policies and Anomaly Detection policies.

  5. On the Create anomaly detection policy page, specify the Policy name and Description. To base your policy on a default template, choose one in the Policy template list, or create your own policy without using a template.

    When you define an anomaly detection policy, you can use a template or create your own policy

  6. Choose a Category for this policy. This will help you filter and sort alerts that have been triggered, or to group policies when you're reviewing them to make changes.

  7. Choose Activity filters and Risk factors for your policy.

  8. Under Alerts, keep the default severity threshold settings. Specify whether to receive alerts via email, text message, or both.

    Important: Make sure that your email provider doesn't block emails sent from

  9. Click Create to save your changes and set up your policy.

Tip: Office 365 Cloud App Security policies apply only to users who have been assigned licenses for Office 365 Cloud App Security. For the best results, review your license assignments. For more information, see Assign licenses to users in Office 365 for business.

Points of consideration

Office 365 Cloud App Security provides a general anomaly detection policy that is created by default for each organization. This policy applies to Office 365 users who are licensed for Office 365 Cloud App Security, and triggers an alert whenever suspicious user activity is detected. Detections are based on a learning algorithm that uses pre-defined risk factors to estimate the overall risk of any user session at any point of time. If a user session risk score is higher than the threshold, an alert will be triggered.

The pre-defined risk factors that contribute to the overall risk score include the following:

  • High number of login failures in a short time

  • Anomalous patterns of privileged administrative activities

  • The last time a user performed any activity

  • The location a user originated from, whether it’s a new, infrequent or suspicious location

  • Concurrent activity from multiple, geographically dispersed locations

  • Repeated activities that are performed many times within a short period

  • Activity originating from risky IP addresses, such as anonymous proxies or botnets

Built-in algorithms do most of the work to detect anomalies automatically for you by scanning user activity and evaluating risks. By having an anomaly detection policy in place to trigger alerts, you'll be notified when this risky behavior occurs.

Important: There is an initial learning period of seven (7) days during which anomalous behavior alerts are not triggered. The anomaly detection algorithm is optimized to reduce the number of false positive alerts. Some audit activities that are known to be problematic in determining user locations by audited IP addresses are less likely to trigger travel alerts without further evidence of additional audited events.

Next steps

Connect with an expert
Contact us
Expand your skills
Explore training

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.