Home > Policies > Service Level Policies > Supported Rules
Export to PDFSupported Rules
Policies for Microsoft 365 utilizes two data retrieval modes to detect violations: auditor mode and scan mode. In auditor mode, the system collects audit events within Microsoft 365 to identify instances that do not comply with policy requirements. In scan mode, the system proactively scans specified conditions in Microsoft 365 to identify instances that violate policy requirements.
Rules
The table below provides a comprehensive overview of all supported rules for service-level policies, irrespective of the object types to which they apply.
| Rule Name | Rule Description | Data Retrieval Mode |
|---|---|---|
| Access Request Settings | Control access request settings within a site to manage who can request and approve access to a site. | Scan Mode |
| Automatic Forwarding Restriction | Restrict users from auto-forwarding emails. | Scan Mode |
| Classification Change Restriction | Prevent changes to the classification of Groups or Teams. | Scan Mode |
| Classification Enforcement | Enforce that all Groups or Teams have a classification assigned to them and assign a default classification if there is none. | Scan Mode |
| Content Creation and Upload Restriction | Control content creation and upload including items, attachments, and documents based on user, size, file extension, content type, and sensitivity label. | Auditor Mode |
| Content Sensitivity Label Enforcement | Enforce sensitivity labels for documents based on their risk level, sensitivity level, and exposure level. | Scan Mode |
| Control Access from Unmanaged Devices | Block or limit access to SharePoint and OneDrive content from unmanaged devices. | Scan Mode |
| Control Group Visibility in Global Address List | Control the visibility of mail-enabled security groups and distribution lists in the global address list. | Scan Mode |
| Deleted Item Retention Period Enforcement | Set the retention period that permanently deleted mailbox items are kept in the Recoverable Items folder. | Scan Mode |
| Deletion Restriction | Control users who have the ability to delete objects in sites. | Auditor Mode |
| External Sharing Settings | Control the external sharing settings for Groups or Teams. | Scan Mode |
| Groups/Teams Creation Restriction | Control users who have the ability to create Groups or Teams. | Auditor Mode |
| Groups/Teams Name Enforcement | Prevent owners of Groups or Teams from changing their Group or Team name. | Scan Mode |
| Guest User Access Enforcement | Control users who have the ability to add guest users to Groups or Teams. | Auditor Mode |
| Guest User Full Control Permission Restriction | Report guest users who have the site-level Full Control permission and remove this permission from them. | Scan Mode |
| Legacy Email Protocols Restriction | Restrict the use of legacy email protocols, including POP, SMTP, and IMAP protocols, to prevent password spray attacks that may breach mailboxes in your tenants. | Scan Mode |
| Library Default Sensitivity Label Enforcement | Enforce a default sensitivity label for document libraries so that the sensitivity label will be applied to all newly created or edited Office files. | Scan Mode |
| Library Versioning Settings Enforcement | Enforce the versioning settings for all libraries in sites. | Scan Mode |
| List/Library Creation Restriction | Control users who have the ability to create lists and libraries. | Auditor Mode |
| List/Library Object Number Restriction | Control the number of items, documents, and folders in a list/library. | Scan Mode |
| Member Number Restriction | Control the number of members in Microsoft 365 Groups, Teams, security groups, or distribution lists. | Scan Mode |
| Membership Restriction | Control users who can be added to Microsoft 365 Groups, Teams, security groups, or distribution lists as members. | Scan Mode |
| Message Size Restriction | Restrict the maximum size for messages sent and received by mailboxes. | Scan Mode |
| Microsoft 365 Group Visibility in Outlook Client | Control if a Microsoft 365 Group is visible in the Outlook client. | Scan Mode |
| Owner Number Restriction | Control the number of owners in Microsoft 365 Groups, Teams, security groups, and distribution lists. | Scan Mode |
| Ownership Enforcement | Enforce specific users to be in the owner group of a site. | Scan Mode |
| Ownership Restriction | Control users who can be added to Groups or Teams as owners. | Scan Mode |
| Permission Inheritance Protection | Protect permission inheritance from being broken at specific object levels. | Auditor Mode |
| Permission Level Enforcement for Built-in SharePoint Groups | Enforce permission levels for built-in SharePoint groups, including site owners, site members, and site visitors. | Scan Mode |
| Pre-defined Group Members (Cloud Governance) | Enforce that users you have defined via site collection properties (example: Cloud Governance site contacts) can be added to specified SharePoint Online groups. | Scan Mode |
| Privacy Restriction | Control the privacy settings of Groups or Teams. | Scan Mode |
| Private Channel Ownership Enforcement | Enforce specific users to be owners of Teams private channels. | Scan Mode |
| Private Channel Owner Number Restriction | Control the number of owners in Teams private channels. | Scan Mode |
| Remove Licenses from Blocked Users | Remove licenses from users who have been blocked from signing in. | Scan Mode |
| Remove Licenses from Inactive Users | Remove licenses from users who do not have activities in Microsoft 365 services for a certain period. | Scan Mode |
| Remove Shadow Users | Remove users who have access to the SharePoint Online site but are not part of the Group/Team membership. | Scan Mode |
| Restrict Member Invitations | Control users who have the ability to add users to Groups or Team. | Audit Mode |
| Restrict Member Removal | Control users who have the ability to remove members from Microsoft 365 Groups or Teams. | Auditor Mode |
| Restrict Sharing Links | Restrict sharing links that are created by or shared with specific users and groups. | Scan Mode |
| Restrict Sharing Links with Edit Permission | Restrict sharing links with Edit permission that are created by or shared with specific users and groups. | Scan Mode |
| Scan External Users | Scan external users in sites where external sharing is disabled. | Scan Mode |
| Scan Orphaned Users | Scan users or groups that have been deleted or blocked in your Microsoft Entra ID. | Scan Mode |
| Search and Offline Availability Enforcement | Control whether site content can be searched or downloaded to offline clients | Scan Mode |
| Shared Channel Ownership Enforcement | Enforce specific users to be owners of Teams shared channels. | Scan Mode |
| SharePoint Permission Enforcement | Control permission levels for the specified users and groups on SharePoint sites. | Scan Mode |
| Shared Channel Creation Restriction | Control users who have the ability to create shared channels inside Teams. | Audit Mode |
| SharePoint Group Membership Enforcement | Enforce specific users to be in the owners, members, or visitors group of a site. | Scan Mode |
| Sharing Link Expiration Enforcement | Enforce the duration of how long sharing links remain active after being created in sites. | Scan Mode |
| Site Collection Administrator Enforcement | Enforce specific users and groups to be in the Site Collection Administrators group of a site. | Scan Mode |
| Site Collection Administrator Number Restriction | Control the number of site collection administrators in a site. | Scan Mode |
| Site Collection Administrator Restriction | Control users who can be added to the Site Collection Administrators group of a site. | Scan Mode |
| Site Content Sharing Settings | Control the external sharing settings for sites. | Scan Mode |
| Site Owner Number Restriction | Control the number of site owners in a site. | Scan Mode |
| Site Owner Restriction | Control users who can be added to the owner group of a site. | Scan Mode |
| Site Sensitivity Label Enforcement | Enforce a defined sensitivity label on sites and remove any existing ones. | Scan Mode |
| Site Storage Enforcement | Enforce storage limit for sites. | Scan Mode |
| Teams Settings Enforcement | Enforce certain Teams settings. | Scan Mode |
| User Permission Replacement | Report or remove permissions from a specific user and assign the permissions to other designated users. | Scan Mode |
| User/Group Restriction | Control users and groups that can be added to sites. | Scan Mode |
Object Type - SharePoint Online Sites
The table below lists the supported rules for SharePoint online sites.
| Rule Name | Rule Description | Data Retrieval Mode |
|---|---|---|
| Access Request Settings | Control access request settings within a site to manage who can request and approve access to a site. | Scan Mode |
| Content Creation and Upload Restriction | Control content creation and upload including items, attachments, and documents based on user, size, file extension, content type, and sensitivity label. | Auditor Mode |
| Content Sensitivity Label Enforcement | Enforce sensitivity labels for documents based on their risk level, sensitivity level, and exposure level. | Scan Mode |
| Control Access from Unmanaged Devices | Block or limit access to SharePoint and OneDrive content from unmanaged devices. | Scan Mode |
| Deletion Restriction | Control users who have the ability to delete objects in sites. | Auditor Mode |
| Guest User Full Control Permission Restriction | Report guest users who have the site-level Full Control permission and remove this permission from them. | Scan Mode |
| Library Default Sensitivity Label Enforcement | Enforce a default sensitivity label for document libraries so that the sensitivity label will be applied to all newly created or edited Office files. | Scan Mode |
| Library Versioning Settings Enforcement | Enforce the versioning settings for all libraries in sites. | Scan Mode |
| List/Library Creation Restriction | Control users who have the ability to create lists and libraries. | Auditor Mode |
| List/Library Object Number Restriction | Control the number of items, documents, and folders in a list/library. | Scan Mode |
| Permission Inheritance Protection | Protect permission inheritance from being broken at specific object levels. | Auditor Mode |
| Permission Level Enforcement for Built-in SharePoint Groups | Enforce permission levels for built-in SharePoint groups, including site owners, site members, and site visitors. | Scan Mode |
| Pre-defined Group Members (Cloud Governance) | Enforce that users you have defined via site collection properties (example: Cloud Governance site contacts) can be added to specified SharePoint Online groups. | Scan Mode |
| Restrict Sharing Links | Restrict sharing links that are created by or shared with specific users and groups. | Scan Mode |
| Restrict Sharing Links with Edit Permission | Restrict sharing links with Edit permission that are created by or shared with specific users and groups. | Scan Mode |
| Scan External Users | Scan external users in sites where external sharing is disabled. | Scan Mode |
| Scan Orphaned Users | Scan users or groups that have been deleted or blocked in your Microsoft Entra ID. | Scan Mode |
| Search and Offline Availability Enforcement | Control whether site content can be searched or downloaded to offline clients | Scan Mode |
| SharePoint Permission Enforcement | Control permission levels for the specified users and groups on SharePoint sites. | Scan Mode |
| SharePoint Group Membership Enforcement | Enforce specific users to be in the owners, members, or visitors group of a site. | Scan Mode |
| Sharing Link Expiration Enforcement | Enforce the duration of how long sharing links remain active after being created in sites. | Scan Mode |
| Site Collection Administrator Enforcement | Enforce specific users and groups to be in the Site Collection Administrators group of a site. | Scan Mode |
| Site Collection Administrator Number Restriction | Control the number of site collection administrators in a site. | Scan Mode |
| Site Collection Administrator Restriction | Control users who can be added to the Site Collection Administrators group of a site. | Scan Mode |
| Site Content Sharing Settings | Control the external sharing settings for sites. | Scan Mode |
| Site Owner Number Restriction | Control the number of site owners in a site. | Scan Mode |
| Site Owner Restriction | Control users who can be added to the owner group of a site. | Scan Mode |
| Site Sensitivity Label Enforcement | Enforce a defined sensitivity label on sites and remove any existing ones. | Scan Mode |
| Site Storage Enforcement | Enforce storage limit for sites. | Scan Mode |
| User Permission Replacement | Report or remove permissions from a specific user and assign the permissions to other designated users. | Scan Mode |
| User/Group Restriction | Control users and groups that can be added to sites. | Scan Mode |
Object Type - OneDrive
The table below lists the supported rules for OneDrive.
| Rule Name | Rule Description | Data Retrieval Mode |
|---|---|---|
| Access Request Settings | Control access request settings within a site to manage who can request and approve access to a site. | Scan Mode |
| Content Creation and Upload Restriction | Control content creation and upload including items, attachments, and documents based on user, size, file extension, content type, and sensitivity label. | Auditor Mode |
| Content Sensitivity Label Enforcement | Enforce sensitivity labels for documents based on their risk level, sensitivity level, and exposure level. | Scan Mode |
| Control Access from Unmanaged Devices | Block or limit access to SharePoint and OneDrive content from unmanaged devices. | Scan Mode |
| Deletion Restriction | Control users who have the ability to delete objects in sites. | Auditor Mode |
| Guest User Full Control Permission Restriction | Report guest users who have the site-level Full Control permission and remove this permission from them. | Scan Mode |
| Library Default Sensitivity Label Enforcement | Enforce a default sensitivity label for document libraries so that the sensitivity label will be applied to all newly created or edited Office files. | Scan Mode |
| Library Versioning Settings Enforcement | Enforce the versioning settings for all libraries in sites. | Scan Mode |
| List/Library Creation Restriction | Control users who have the ability to create lists and libraries. | Auditor Mode |
| List/Library Object Number Restriction | Control the number of items, documents, and folders in a list/library. | Scan Mode |
| Permission Level Enforcement for Built-in SharePoint Groups | Enforce permission levels for built-in SharePoint groups, including site owners, site members, and site visitors. | Scan Mode |
| Pre-defined Group Members (Cloud Governance) | Enforce that users you have defined via site collection properties (example: Cloud Governance site contacts) can be added to specified SharePoint Online groups. | Scan Mode |
| Restrict Sharing Links | Restrict sharing links that are created by or shared with specific users and groups. | Scan Mode |
| Restrict Sharing Links with Edit Permission | Restrict sharing links with Edit permission that are created by or shared with specific users and groups. | Scan Mode |
| Scan External Users | Scan external users in sites where external sharing is disabled. | Scan Mode |
| Scan Orphaned Users | Scan users or groups that have been deleted or blocked in your Microsoft Entra ID. | Scan Mode |
| Search and Offline Availability Enforcement | Control whether site content can be searched or downloaded to offline clients | Scan Mode |
| SharePoint Permission Enforcement | Control permission levels for the specified users and groups on SharePoint sites. | Scan Mode |
| SharePoint Group Membership Enforcement | Enforce specific users to be in the owners, members, or visitors group of a site. | Scan Mode |
| Sharing Link Expiration Enforcement | Enforce the duration of how long sharing links remain active after being created in sites. | Scan Mode |
| Site Collection Administrator Enforcement | Enforce specific users and groups to be in the Site Collection Administrators group of a site. | Scan Mode |
| Site Collection Administrator Number Restriction | Control the number of site collection administrators in a site. | Scan Mode |
| Site Collection Administrator Restriction | Control users who can be added to the Site Collection Administrators group of a site. | Scan Mode |
| Site Content Sharing Settings | Control the external sharing settings for sites. | Scan Mode |
| Site Owner Number Restriction | Control the number of site owners in a site. | Scan Mode |
| Site Owner Restriction | Control users who can be added to the owner group of a site. | Scan Mode |
| Site Sensitivity Label Enforcement | Enforce a defined sensitivity label on sites and remove any existing ones. | Scan Mode |
| Site Storage Enforcement | Enforce storage limit for sites. | Scan Mode |
| User Permission Replacement | Report or remove permissions from a specific user and assign the permissions to other designated users. | Scan Mode |
| User/Group Restriction | Control users and groups that can be added to sites. | Scan Mode |
Object Type - Microsoft 365 Groups
The table below lists the supported rules for Microsoft 365 Groups including group team sites.
| Rule Name | Rule Description | Data Retrieval Mode |
|---|---|---|
| Access Request Settings | Control access request settings within a site to manage who can request and approve access to a site. | Scan Mode |
| Classification Change Restriction | Prevent changes to the classification of Groups or Teams. | Scan Mode |
| Classification Enforcement | Enforce that all Groups or Teams have a classification assigned to them and assign a default classification if there is none. | Scan Mode |
| Content Creation and Upload Restriction | Control content creation and upload including items, attachments, and documents based on user, size, file extension, content type, and sensitivity label. | Auditor Mode |
| Content Sensitivity Label Enforcement | Enforce sensitivity labels for documents based on their risk level, sensitivity level, and exposure level. | Scan Mode |
| Control Access from Unmanaged Devices | Block or limit access to SharePoint and OneDrive content from unmanaged devices. | Scan Mode |
| Deletion Restriction | Control users who have the ability to delete objects in sites. | Auditor Mode |
| External Sharing Settings | Control the external sharing settings for Groups or Teams. | Scan Mode |
| Groups/Teams Creation Restriction | Control users who have the ability to create Groups or Teams. | Auditor Mode |
| Groups/Teams Name Enforcement | Prevent owners of Groups or Teams from changing their Group or Team name. | Scan Mode |
| Guest User Access Enforcement | Control users who have the ability to add guest users to Groups or Teams. | Auditor Mode |
| Guest User Full Control Permission Restriction | Report guest users who have the site-level Full Control permission and remove this permission from them. | Scan Mode |
| Library Default Sensitivity Label Enforcement | Enforce a default sensitivity label for document libraries so that the sensitivity label will be applied to all newly created or edited Office files. | Scan Mode |
| Library Versioning Settings Enforcement | Enforce the versioning settings for all libraries in sites. | Scan Mode |
| List/Library Creation Restriction | Control users who have the ability to create lists and libraries. | Auditor Mode |
| List/Library Object Number Restriction | Control the number of items, documents, and folders in a list/library. | Scan Mode |
| Member Number Restriction | Control the number of members in Microsoft 365 Groups, Teams, security groups, or distribution lists. | Scan Mode |
| Membership Restriction | Control users who can be added to Microsoft 365 Groups, Teams, security groups, or distribution lists as members. | Scan Mode |
| Microsoft 365 Group Visibility in Outlook Client | Control if a Microsoft 365 Group is visible in the Outlook client. | Scan Mode |
| Owner Number Restriction | Control the number of owners in Microsoft 365 Groups, Teams, security groups, and distribution lists. | Scan Mode |
| Ownership Enforcement | Enforce specific users to be in the owner group of a site. | Scan Mode |
| Ownership Restriction | Control users who can be added to Groups or Teams as owners. | Scan Mode |
| Permission Inheritance Protection | Protect permission inheritance from being broken at specific object levels. | Auditor Mode |
| Permission Level Enforcement for Built-in SharePoint Groups | Enforce permission levels for built-in SharePoint groups, including site owners, site members, and site visitors. | Scan Mode |
| Pre-defined Group Members (Cloud Governance) | Enforce that users you have defined via site collection properties (example: Cloud Governance site contacts) can be added to specified SharePoint Online groups. | Scan Mode |
| Privacy Restriction | Control the privacy settings of Groups or Teams. | Scan Mode |
| Remove Shadow Users | Remove users who have access to the SharePoint Online site but are not part of the Group/Team membership. | Scan Mode |
| Restrict Member Invitations | Control users who have the ability to add users to Groups or Team. | Audit Mode |
| Restrict Member Removal | Control users who have the ability to remove members from Microsoft 365 Groups or Teams. | Auditor Mode |
| Restrict Sharing Links | Restrict sharing links that are created by or shared with specific users and groups. | Scan Mode |
| Restrict Sharing Links with Edit Permission | Restrict sharing links with Edit permission that are created by or shared with specific users and groups. | Scan Mode |
| Scan External Users | Scan external users in sites where external sharing is disabled. | Scan Mode |
| Scan Orphaned Users | Scan users or groups that have been deleted or blocked in your Microsoft Entra ID. | Scan Mode |
| Search and Offline Availability Enforcement | Control whether site content can be searched or downloaded to offline clients | Scan Mode |
| SharePoint Permission Enforcement | Control permission levels for the specified users and groups on SharePoint sites. | Scan Mode |
| Sharing Link Expiration Enforcement | Enforce the duration of how long sharing links remain active after being created in sites. | Scan Mode |
| Site Collection Administrator Enforcement | Enforce specific users and groups to be in the Site Collection Administrators group of a site. | Scan Mode |
| Site Collection Administrator Number Restriction | Control the number of site collection administrators in a site. | Scan Mode |
| Site Collection Administrator Restriction | Control users who can be added to the Site Collection Administrators group of a site. | Scan Mode |
| Site Content Sharing Settings | Control the external sharing settings for sites. | Scan Mode |
| Site Owner Number Restriction | Control the number of site owners in a site. | Scan Mode |
| Site Owner Restriction | Control users who can be added to the owner group of a site. | Scan Mode |
| Site Sensitivity Label Enforcement | Enforce a defined sensitivity label on sites and remove any existing ones. | Scan Mode |
| Site Storage Enforcement | Enforce storage limit for sites. | Scan Mode |
| User Permission Replacement | Report or remove permissions from a specific user and assign the permissions to other designated users. | Scan Mode |
| User/Group Restriction | Control users and groups that can be added to sites. | Scan Mode |
Object Type - Microsoft Teams
The table below lists the supported rules for Microsoft Teams including group team sites.
| Rule Name | Rule Description | Data Retrieval Mode |
|---|---|---|
| Access Request Settings | Control access request settings within a site to manage who can request and approve access to a site. | Scan Mode |
| Classification Change Restriction | Prevent changes to the classification of Groups or Teams. | Scan Mode |
| Classification Enforcement | Enforce that all Groups or Teams have a classification assigned to them and assign a default classification if there is none. | Scan Mode |
| Content Creation and Upload Restriction | Control content creation and upload including items, attachments, and documents based on user, size, file extension, content type, and sensitivity label. | Auditor Mode |
| Content Sensitivity Label Enforcement | Enforce sensitivity labels for documents based on their risk level, sensitivity level, and exposure level. | Scan Mode |
| Control Access from Unmanaged Devices | Block or limit access to SharePoint and OneDrive content from unmanaged devices. | Scan Mode |
| Deletion Restriction | Control users who have the ability to delete objects in sites. | Auditor Mode |
| External Sharing Settings | Control the external sharing settings for Groups or Teams. | Scan Mode |
| Groups/Teams Creation Restriction | Control users who have the ability to create Groups or Teams. | Auditor Mode |
| Groups/Teams Name Enforcement | Prevent owners of Groups or Teams from changing their Group or Team name. | Scan Mode |
| Guest User Access Enforcement | Control users who have the ability to add guest users to Groups or Teams. | Auditor Mode |
| Guest User Full Control Permission Restriction | Report guest users who have the site-level Full Control permission and remove this permission from them. | Scan Mode |
| Library Default Sensitivity Label Enforcement | Enforce a default sensitivity label for document libraries so that the sensitivity label will be applied to all newly created or edited Office files. | Scan Mode |
| Library Versioning Settings Enforcement | Enforce the versioning settings for all libraries in sites. | Scan Mode |
| List/Library Creation Restriction | Control users who have the ability to create lists and libraries. | Auditor Mode |
| List/Library Object Number Restriction | Control the number of items, documents, and folders in a list/library. | Scan Mode |
| Member Number Restriction | Control the number of members in Microsoft 365 Groups, Teams, security groups, or distribution lists. | Scan Mode |
| Membership Restriction | Control users who can be added to Microsoft 365 Groups, Teams, security groups, or distribution lists as members. | Scan Mode |
| Microsoft 365 Group Visibility in Outlook Client | Control if a Microsoft 365 Group is visible in the Outlook client. | Scan Mode |
| Owner Number Restriction | Control the number of owners in Microsoft 365 Groups, Teams, security groups, and distribution lists. | Scan Mode |
| Ownership Enforcement | Enforce specific users to be in the owner group of a site. | Scan Mode |
| Ownership Restriction | Control users who can be added to Groups or Teams as owners. | Scan Mode |
| Permission Inheritance Protection | Protect permission inheritance from being broken at specific object levels. | Auditor Mode |
| Permission Level Enforcement for Built-in SharePoint Groups | Enforce permission levels for built-in SharePoint groups, including site owners, site members, and site visitors. | Scan Mode |
| Pre-defined Group Members (Cloud Governance) | Enforce that users you have defined via site collection properties (example: Cloud Governance site contacts) can be added to specified SharePoint Online groups. | Scan Mode |
| Privacy Restriction | Control the privacy settings of Groups or Teams. | Scan Mode |
| Private Channel Ownership Enforcement | Enforce specific users to be owners of Teams private channels. | Scan Mode |
| Private Channel Owner Number Restriction | Control the number of owners in Teams private channels. | Scan Mode |
| Remove Shadow Users | Remove users who have access to the SharePoint Online site but are not part of the Group/Team membership. | Scan Mode |
| Restrict Member Invitations | Control users who have the ability to add users to Groups or Team. | Audit Mode |
| Restrict Member Removal | Control users who have the ability to remove members from Microsoft 365 Groups or Teams. | Auditor Mode |
| Restrict Sharing Links | Restrict sharing links that are created by or shared with specific users and groups. | Scan Mode |
| Restrict Sharing Links with Edit Permission | Restrict sharing links with Edit permission that are created by or shared with specific users and groups. | Scan Mode |
| Scan External Users | Scan external users in sites where external sharing is disabled. | Scan Mode |
| Scan Orphaned Users | Scan users or groups that have been deleted or blocked in your Microsoft Entra ID. | Scan Mode |
| Search and Offline Availability Enforcement | Control whether site content can be searched or downloaded to offline clients | Scan Mode |
| Shared Channel Ownership Enforcement | Enforce specific users to be owners of Teams shared channels. | Scan Mode |
| SharePoint Permission Enforcement | Control permission levels for the specified users and groups on SharePoint sites. | Scan Mode |
| Shared Channel Creation Restriction | Control users who have the ability to create shared channels inside Teams. | Audit Mode |
| Sharing Link Expiration Enforcement | Enforce the duration of how long sharing links remain active after being created in sites. | Scan Mode |
| Site Collection Administrator Enforcement | Enforce specific users and groups to be in the Site Collection Administrators group of a site. | Scan Mode |
| Site Collection Administrator Number Restriction | Control the number of site collection administrators in a site. | Scan Mode |
| Site Collection Administrator Restriction | Control users who can be added to the Site Collection Administrators group of a site. | Scan Mode |
| Site Content Sharing Settings | Control the external sharing settings for sites. | Scan Mode |
| Site Owner Number Restriction | Control the number of site owners in a site. | Scan Mode |
| Site Owner Restriction | Control users who can be added to the owner group of a site. | Scan Mode |
| Site Sensitivity Label Enforcement | Enforce a defined sensitivity label on sites and remove any existing ones. | Scan Mode |
| Site Storage Enforcement | Enforce storage limit for sites. | Scan Mode |
| Teams Settings Enforcement | Enforce certain Teams settings. | Scan Mode |
| User Permission Replacement | Report or remove permissions from a specific user and assign the permissions to other designated users. | Scan Mode |
| User/Group Restriction | Control users and groups that can be added to sites. | Scan Mode |
Object Type - Microsoft 365 Users
The table below lists the supported rules for Microsoft 365 users.
| Rule Name | Rule Description | Data Retrieval Mode |
|---|---|---|
| Remove Licenses from Blocked Users | Remove licenses from users who have been blocked from signing in. | Scan Mode |
| Remove Licenses from Inactive Users | Remove licenses from users who do not have activities in Microsoft 365 services for a certain period. | Scan Mode |
Object Type - Exchange Mailboxes
The table below lists the supported rules for Exchange mailboxes.
| Rule Name | Rule Description | Data Retrieval Mode |
|---|---|---|
| Automatic Forwarding Restriction | Restrict users from auto-forwarding emails. | Scan Mode |
| Deleted Item Retention Period Enforcement | Set the retention period that permanently deleted mailbox items are kept in the Recoverable Items folder. | Scan Mode |
| Legacy Email Protocols Restriction | Restrict the use of legacy email protocols, including POP, SMTP, and IMAP protocols, to prevent password spray attacks that may breach mailboxes in your tenants. | Scan Mode |
| Message Size Restriction | Restrict the maximum size for messages sent and received by mailboxes. | Scan Mode |
Object Type - Security and Distribution Groups
The table below lists the supported rules for security groups and distribution groups.
| Rule Name | Rule Description | Data Retrieval Mode |
|---|---|---|
| Control Group Visibility in Global Address List | Control the visibility of mail-enabled security groups and distribution lists in the global address list. | Scan Mode |
| Member Number Restriction | Control the number of members in Microsoft 365 Groups, Teams, security groups, or distribution lists. | Scan Mode |
| Membership Restriction | Control users who can be added to Microsoft 365 Groups, Teams, security groups, or distribution lists as members. | Scan Mode |
| Owner Number Restriction | Control the number of owners in Microsoft 365 Groups, Teams, security groups, and distribution lists. | Scan Mode |
Rules that Require Microsoft 365 Licenses
The table below lists the rules for service-level policies where a Microsoft 365 license is required.
| Rule Name | Rule Description | Required Microsoft 365 License |
|---|---|---|
| Content Sensitivity Label Enforcement | Enforce sensitivity labels for documents based on their risk level, sensitivity level, and exposure level. | Microsoft 365 E5 License |
| Site Sensitivity Label Enforcement | Enforce a defined sensitivity label on sites and remove any existing ones. | Microsoft 365 E5 License |
| Library Default Sensitivity Label Enforcement | Enforce a default sensitivity label for document libraries so that the sensitivity label will be applied to all newly created or edited Office files. | Microsoft 365 E5 License |
| Content Creation and Upload Restriction | Control content creation and upload including items, attachments, and documents based on user, size, file extension, content type, and sensitivity label. | Microsoft 365 E5 License |
Rules that Require Additional Service Subscriptions
The table below lists the rules for service-level policies where an additional AvePoint service subscription is required.
| Rule Name | Rule Description | Required Additional Service Subscription |
|---|---|---|
| Remove Licenses from Blocked Users | Remove licenses from users who have been blocked from signing in. | Cense |
| Remove Licenses from Inactive Users | Remove licenses from users who do not have activities in Microsoft 365 services for a certain period. | Cense |
| Content Sensitivity Label Enforcement | Enforce sensitivity labels for documents based on their risk level, sensitivity level, and exposure level. | Insights |
| Guest User Full Control Permission Restriction | Report guest users who have the site-level Full Control permission and remove this permission from them. | Insights |
| Permission Inheritance Protection | Protect permission inheritance from being broken at specific object levels. | Insights (Required if you want to configure the Monitor all objects rule setting.) |
| Remove Shadow Users | Remove users who have access to the SharePoint Online site but are not part of the Group/Team membership. | Insights |
| Restrict Sharing Links | Restrict sharing links that are created by or shared with specific users and groups. | Insights |
| Restrict Sharing Links with Edit Permission | Restrict sharing links with Edit permission that are created by or shared with specific users and groups. | Insights |
| SharePoint Permission Enforcement | Control permission levels for the specified users and groups on SharePoint sites. | Insights |
| Sharing Link Expiration Enforcement | Enforce the duration of how long sharing links remain active after being created in sites. | Insights |
| User Permission Replacement | Report or remove permissions from a specific user and assign the permissions to other designated users. | Insights |
| User/Group Restriction | Control users and groups that can be added to sites. | Insights (Required if you want to use the Skip users/groups who do not have any permission to objects in sites rule setting.) |
| Owner Number Restriction | Control the number of owners in a site. | tyGraph (Required if you want to use the Assign the best owner auto-fix action.) |
Rules that Require Lower Frequency for Policy Schedule
Depending on the scale of your Microsoft 365 environment, the Enforce policy job for some rules may take a significant amount of time to complete. For rules that require a lower frequency, you can set independent scan intervals. Note that for these rules, the independent scan intervals take precedence over the general policy-level schedule.
| Rule Name | Rule Description |
|---|---|
| Classification Change Restriction | Prevent changes to the classification of Groups or Teams. |
| Content Creation and Upload Restriction | Control content creation and upload including items, attachments, and documents based on user, size, file extension, content type, and sensitivity label. |
| Content Sensitivity Label Enforcement | Enforce sensitivity labels for documents based on their risk level, sensitivity level, and exposure level. |
| Deletion Restriction | Control users who have the ability to delete objects in sites. |
| Groups/Teams Creation Restriction | Control users who have the ability to create Groups or Teams. |
| Groups/Teams Name Enforcement | Prevent owners of Groups or Teams from changing their Group or Team name. |
| Guest User Access Enforcement | Control users who have the ability to add guest users to Groups or Teams. |
| List/Library Creation Restriction | Control users who have the ability to create lists and libraries. |
| List/Library Object Number Restriction | Control the number of items, documents, and folders in a list/library. |
| Permission Inheritance Protection | Protect permission inheritance from being broken at specific object levels. |
| Restrict Sharing Links | Restrict sharing links that are created by or shared with specific users and groups. |
| SharePoint Permission Enforcement | Control permission levels for the specified users and groups on SharePoint sites. |
| Sharing Link Expiration Enforcement | Enforce the duration of how long sharing links remain active after being created in sites. |
Rules that Require the Exchange Administrator Role
The table below lists the rules for service-level policies where the Exchange Administrator role is required.
| Rule Name | Rule Description |
|---|---|
| Automatic Forwarding Restriction | Restrict users from auto-forwarding emails. |
| Deleted Item Retention Period Enforcement | Set the retention period that permanently deleted mailbox items are kept in the Recoverable Items folder. |
| Legacy Email Protocols Restriction | Restrict the use of legacy email protocols, including POP, SMTP, and IMAP protocols, to prevent password spray attacks that may breach mailboxes in your tenants. |
| Message Size Restriction | Restrict the maximum size for messages sent and received by mailboxes. |
On this page