Home > Policies > Tenant Level Policies > Supported Rules
Export to PDFSupported Rules
Policies for Microsoft 365 utilize two data retrieval modes to detect violations: auditor mode and scan mode. In auditor mode, the system collects audit events within Microsoft 365 to identify instances that do not comply with policy requirements. In scan mode, the system proactively scans specified conditions in Microsoft 365 to identify instances that violate policy requirements.
Rules
The table below provides a comprehensive overview of all supported rules for tenant-level policies.
| Rule Name | Rule Description | Data Retrieval Mode |
|---|---|---|
| Automatic Forwarding Restriction | Restrict users from auto-forwarding emails. | Scan Mode |
| Bypass Spam Filtering Rule Restriction | Restrict users from creating the mail flow rule to skip spam filtering when receiving emails from specific domains. | Scan Mode |
| Control Access from Unmanaged Devices | Block or limit access to SharePoint and OneDrive content from unmanaged devices. | Scan Mode |
| Control Anonymous Calendar Sharing | Control whether users are allowed to share their calendars with anonymous users outside the organization. | Scan Mode |
| Control Exchange Online PowerShell Access for Non-administrators | Control Exchange Online PowerShell access for non-administrators. | Scan Mode |
| Control Focused Inbox | Control whether to enable the focused inbox view for users. | Scan Mode |
| Control Mailbox Auditing for All Users | Control whether to enable mailbox auditing for all users. | Scan Mode |
| Control Plus Addressing | Control whether users can use plus addressing to quickly create custom email addresses based on their standard email addresses. | Scan Mode |
| Control Sending Emails from Aliases | Control whether users are allowed to send emails from aliases. | Scan Mode |
| Deleted Item Retention Period Enforcement | Set the retention period that permanently deleted mailbox items are kept in the Recoverable Items folder. | Scan Mode |
| DKIM Signature Enforcement | Sign emails with DKIM (Domain Keys Identified Mail) signatures for your domains to help recipients ensure the identities of senders. | Scan Mode |
| Ghost Guest User Detection | Detect guests who do not have any membership in SharePoint Online sites, Groups, and Teams.(Groups include Microsoft 365 Groups, distribution groups, dynamic distribution groups, security groups, mail-enabled security groups, and shared mailboxes.) | Scan Mode |
| Groups Guest Access Restriction | Control whether people outside your organization can be invited as guests and access group content. | Scan Mode |
| Groups/Teams Creation Restriction | Control users who have the ability to create Groups or Teams. | Auditor Mode |
| Groups/Teams Deletion Restriction | Control users who have the ability to delete Groups or Teams. | Auditor Mode |
| International Spam Prevention | Prevent email messages that are written in specific languages or sent from specific countries or regions. | Scan Mode |
| Legacy Email Protocols Restriction | Restrict the use of legacy email protocols, including POP, SMTP, and IMAP protocols, to prevent password spray attacks that may breach mailboxes in your tenants. | Scan Mode |
| Malware Prevention | Protect your organization from malware by quarantining email messages where malware is detected. | Scan Mode |
| Message Size Restriction | Restrict the maximum size for messages sent and received by mailboxes. | Scan Mode |
| Outbound Spam Prevention | Protect your organization from outbound spam. | Scan Mode |
| Outlook External Email Tag Enforcement | Choose whether to add tags to external emails in Outlook to help users identify emails from external senders. | Scan Mode |
| Remove Inactive Guest Users | Remove guest users who do not have any activities in SharePoint Online sites, Groups, and Teams for certain days. | Scan Mode |
| Rich-Text Format Restriction | Restrict the rich-text format in emails to prevent malformed emails sending to other users. | Scan Mode |
| Shared Mailbox Sign-In Restriction | Control whether to allow users to sign in to the shared mailboxes by their associated user accounts. | Scan Mode |
| Tenant-level Site Content External Sharing Settings | Control the tenant-level external sharing settings for SharePoint and OneDrive. | Scan Mode |
| Teams Tagging Settings | Control how tags are used across your organization. | Scan Mode |
| User Restriction | Enforce that specific users can only be assigned membership of the specified Groups/Teams. | Scan Mode |
Note the following:
-
If you want Policies for Microsoft 365 to skip checking security group memberships in the Ghost Guest User Detection rule, you can select Skip any user access granted by membership in security groups in the rule settings. If selected, users will be reported as ghost guest users when they do not have direct membership to any SharePoint Online sites, Teams, and Groups, except for security groups.
-
Due to Microsoft’s announcement in Update your applications to use Microsoft Authentication Library and Microsoft Graph API – Microsoft Tech Community, the MFA management-related API leveraged by Policies for Microsoft 365 will no longer be supported. Therefore, the MFA Status Enforcement rule was removed on March 6, 2022.
-
Due to API limitations, the notification settings for quarantined messages and undelivered messages are no longer available. Therefore, relevant rule settings in the Malware Prevention rule were removed.
Rules that Require Microsoft 365 Licenses
The table below lists the rules for tenant-level policies where a Microsoft 365 license is required.
| Rule Name | Rule Description | Required Microsoft 365 License |
|---|---|---|
| Remove Inactive Guest Users | Remove guest users who do not have any activities in SharePoint Online sites, Groups, and Teams for certain days. | Microsoft Entra ID P1 or P2 License |
Rules that Require Lower Frequency for Policy Schedule
Depending on the size of your Microsoft 365 environment, the Enforce policy job for some rules may take a significant amount of time to complete. For rules that require a lower frequency, you can set independent scan intervals. Note that for these rules, the independent scan intervals take precedence over the general policy-level schedule.
| Rule Name | Rule Description |
|---|---|
| Ghost Guest User Detection | Detect guests who do not have any membership in SharePoint Online sites, Groups, and Teams. |
| Groups/Teams Creation Restriction | Control users who have the ability to create Groups or Teams. |
| Groups/Teams Deletion Restriction | Control users who have the ability to delete Groups or Teams. |
| Remove Inactive Guest Users | Remove guest users who do not have any activities in SharePoint Online sites, Groups, and Teams for certain days. |
| User Restriction | Enforce that specific users can only be assigned membership of the specified Groups/Teams. |
Rules that Require the Exchange Administrator Role
The table below lists the rules for tenant-level policies where the Exchange Administrator role is required.
| Rule Name | Rule Description |
|---|---|
| Automatic Forwarding Restriction | Restrict users from auto-forwarding emails. |
| Bypass Spam Filtering Rule Restriction | Restrict users from creating the mail flow rule to skip spam filtering when receiving emails from specific domains. |
| Control Anonymous Calendar Sharing | Control whether users are allowed to share their calendars with anonymous users outside the organization. |
| Control Mailbox Auditing for All Users | Control whether to enable mailbox auditing for all users. |
| Control Exchange Online PowerShell Access for Non-administrators | Control Exchange Online PowerShell access for non-administrators. |
| Control Focused Inbox | Control whether to enable the focused inbox view for users. |
| Control Plus Addressing | Control whether users can use plus addressing to quickly create custom email addresses based on their standard email addresses. |
| Control Sending Emails from Aliases | Control whether users are allowed to send emails from aliases. |
| Deleted Item Retention Period Enforcement | Set the retention period that permanently deleted mailbox items are kept in the Recoverable Items folder. |
| DKIM Signature Enforcement | Sign emails with DKIM (Domain Keys Identified Mail) signatures for your domains to help recipients ensure the identities of senders. |
| International Spam Prevention | Prevent email messages that are written in specific languages or sent from specific countries or regions. |
| Legacy Email Protocols Restriction | Restrict the use of legacy email protocols, including POP, SMTP, and IMAP protocols, to prevent password spray attacks that may breach mailboxes in your tenants. |
| Malware Prevention | Protect your organization from malware by quarantining email messages where malware is detected. |
| Message Size Restriction | Restrict the maximum size for messages sent and received by mailboxes. |
| Outbound Spam Prevention | Protect your organization from outbound spam. |
| Outlook External Email Tag Enforcement | Choose whether to add tags to external emails in Outlook to help users identify emails from external senders. |
| Rich-Text Format Restriction | Restrict the rich-text format in emails to prevent malformed emails sending to other users. |
| Shared Mailbox Sign-In Restriction | Control whether to allow users to sign in to the shared mailboxes by their associated user accounts. |