#Detailed Rule Settings

Rule settings vary by specific rule. Currently, we provide detailed information on the 20 most frequently used rules, covering both service-level and tenant-level policies. Documentation for additional rules will be added in future updates.

#SharePoint Sites

Refer to the following sections for the detailed rule configurations.

#Access Requests Settings

Use this rule to control access requests settings, including options to allow members to share content and to allow access requests.

Refer to the following information for the detailed rule settings:

1. Add a filter to this rule – Filter is supported by this rule, allowing you to apply this rule only to the objects that meet the defined filter conditions. From the drop-down list, select an existing filter or click New to open the Create filter panel to create a new filter. After selecting a filter, click View details to view its configuration.

   Note that applying a filter directly to a rule takes precedence over any filter set at the policy level. Consequently, only the filter assigned to the rule will be used when evaluating conditions for objects.

2. Sharing settings – Choose whether to allow members to share the site and individual files and folders. If sharing is allowed, you can further specify members are allowed to invite others directly to the site members group. To exclude sharing settings from being monitored, select Do not monitor the settings.

3. Access settings – Choose whether to allow users to request access to the site. If access request is allowed, designate who will receive email notifications for new requests. To exclude access settings from being monitored, select Do not monitor the settings.

4. If violations are identified, take the following action to automatically fix the violations – Auto-fix violations is supported by this rule, enabling automatic correction of out-of-policy settings when violations are identified.

   • Reset access requests settings – Select this checkbox if you want to automatically reset the site’s access requests settings to the configured rule settings once they are identified as non-compliant.

5. Send email notifications of the violations to the following users – Choose whether to send email notifications to admins/end users when violations are identified. After enabling the setting, you need to designate recipients and select the appropriate email template.

#Content Creation and Upload Restriction

Use this rule to control content creation and upload including items, attachments, and documents based on user, size, file extension, content type, and sensitivity label.

Refer to the following information for the detailed rule settings:

1. Add a filter to this rule – Filter is supported by this rule, allowing you to apply this rule only to the objects that meet the defined filter conditions. From the drop-down list, select an existing filter or click New to open the Create filter panel to create a new filter. After selecting a filter, click View details to view its configuration.

   Note that applying a filter directly to a rule takes precedence over any filter set at the policy level. Consequently, only the filter assigned to the rule will be used when evaluating conditions for objects.

2. Select the rule settings that you want to use:

   • Choose who has the capability to create and upload content – Select an option:

     • Only allow the specified users to create and upload content – Select this option, enter usernames in the text box, and select target users. Only the specified users are allowed to create and upload content.

     • Select a Defined Group – Besides specifying users/groups one by one, you can select a Defined Group. A Defined Group allows you to specify criteria with which to identify the specific users or groups to assign a rule.

     • Restrict the specified users from creating and uploading content – Select this option, enter user/group names in the text box, and select target users/groups. The specified users are not allowed to create and upload content.

     • Select a Defined Group – Besides specifying users/groups one by one, you can select a Defined Group. A Defined Group allows you to specify criteria with which to identify the specific users or groups to assign a rule.

   • Control files by maximum upload size – Select this setting and then specify a size limit. Any file larger than this limit is not allowed.

   • Control files by file extension – Select this setting and then specify prohibited file extensions, separating multiple extensions with semicolons. Files with these extensions are not allowed.

   • Control files by content type – Select this setting and then specify prohibited content types, separating multiple content types with semicolons. Files with these content types are not allowed.

   • Control documents by sensitivity label – Select this setting to control document uploads by their sensitivity label. Select the tenant and then select the sensitivity labels that are permitted for uploads. You can further define whether to skip monitoring documents that do not support sensitivity labels.

   • Control documents by the priority of sensitivity label – Select this setting to control document uploads by the priority of the applied sensitivity label. Note that documents with a higher priority number are more sensitive and have stricter access and usage controls.

     Add conditions, for example, the document’s sensitivity label should be As sensitive as, less sensitive than, or More sensitive than the Site’s sensitivity label or a Specific label you define. Combine multiple conditions using the And/Or logical operator.

     In addition, you can choose whether to skip monitoring documents that do not support sensitivity labels.

3. If violations are identified, take the following action to automatically fix the violations – Auto-fix violations is supported by this rule, enabling automatic correction of out-of-policy settings when violations are identified.

   • Delete the out-of-policy content to the Recycle Bin – Select this checkbox if you want to automatically delete the content to the Recycle Bin once they are identified as non-compliant.

4. Send email notifications of the violations to the following users – Choose whether to send email notifications to admins/end users when violations are identified. After enabling the setting, you need to designate recipients and select the appropriate email template.

5. Independent scan interval – Independent scan interval is supported for this rule, allowing you to set an independent scan interval for the Enforce policy job. When enabled, this rule-specific scan interval takes precedence over the general schedule set at the policy level.

   For policies containing this rule, the Enforce policy job may require considerable time to complete, particularly in larger Microsoft 365 environments. To help optimize performance, we recommend that you set a lower frequency for this rule.

   • Scan interval – Enter a positive integer and select a time unit (Hours, Days, Weeks, or Months). Policies for Microsoft 365 will start Enforce policy jobs to scan your Microsoft 365 environment according to the configured interval.

   • Scan start time – When the scan interval is set to Days, Weeks, or Months, the Scan start time setting will appear below for you to specify the exact timing of job executions.

     • For daily scans, you need to set a specific time. The job will start daily at the defined time.

     • For weekly scans, you need to select a weekday (Monday to Sunday) and set a specific time. The job will start weekly at the defined date and time.

     • For monthly scans, you need to select a calendar date and time. The job will start monthly at the defined date and time.

#Permission Inheritance Protection

Use this rule to protect permission inheritance from being broken at specific object levels.

Refer to the following information for the detailed rule settings:

1. Add a filter to this rule – Filter is supported by this rule, allowing you to apply this rule only to the objects that meet the defined filter conditions. From the drop-down list, select an existing filter or click New to open the Create filter panel to create a new filter. After selecting a filter, click View details to view its configuration.

   Note that applying a filter directly to a rule takes precedence over any filter set at the policy level. Consequently, only the filter assigned to the rule will be used when evaluating conditions for objects.

2. Configure rule settings:

   • Select object levels – Select the objects to monitor. Options include Site, List, Folder, Item.

   • Define the object scope – Select the range of objects to be evaluated:

     • Monitor all objects – Select this option to check all existing objects within the defined levels to identify violations.

       Prerequisite: To use this setting, a subscription for Insights will be required.

     • Only monitor the newly found objects after this rule is enabled – Select this option to check only objects discovered after this rule is enabled. This is done by checking audit events collected from the time the policy is enforced.

3. If violations are identified, take the following action to automatically fix the violations – Auto-fix violations is supported by this rule, enabling automatic correction of out-of-policy settings when violations are identified.

   • Restore permission inheritance – Select this checkbox if you want to automatically restore broken permission inheritance for the objects once they are identified as non-compliant. This action will remove unique permissions and re-inherit them from the parent object.

4. Send email notifications of the violations to the following users – Choose whether to send email notifications to admins/end users when violations are identified. After enabling the setting, you need to designate recipients and select the appropriate email template.

5. Independent scan interval – Independent scan interval is supported for this rule, allowing you to set an independent scan interval for the Enforce policy job. When enabled, this rule-specific scan interval takes precedence over the general schedule set at the policy level.

   For policies containing this rule, the Enforce policy job may require considerable time to complete, particularly in larger Microsoft 365 environments. To help optimize performance, we recommend that you set a lower frequency for this rule.

   • Scan interval – Enter a positive integer and select a time unit (Hours, Days, Weeks, or Months). Policies for Microsoft 365 will start Enforce policy jobs to scan your Microsoft 365 environment according to the configured interval.

   • Scan start time – When the scan interval is set to Days, Weeks, or Months, the Scan start time setting will appear below for you to specify the exact timing of job executions.

     • For daily scans, you need to set a specific time. The job will start daily at the defined time.

     • For weekly scans, you need to select a weekday (Monday to Sunday) and set a specific time. The job will start weekly at the defined date and time.

     • For monthly scans, you need to select a calendar date and time. The job will start monthly at the defined date and time.

#Pre-defined Group Members (Cloud Governance)

Use this rule to ensure users you have defined via site collection properties (example: Cloud Governance site contacts) belong to the designated SharePoint groups.

Refer to the following information for the detailed rule settings:

1. Add a filter to this rule – Filter is supported by this rule, allowing you to apply this rule only to the objects that meet the defined filter conditions. From the drop-down list, select an existing filter or click New to open the Create filter panel to create a new filter. After selecting a filter, click View details to view its configuration.

   Note that applying a filter directly to a rule takes precedence over any filter set at the policy level. Consequently, only the filter assigned to the rule will be used when evaluating conditions for objects.

2. Configure rule – Add criterion to define the site collection property and the target SharePoint group. Users who meet the property must be members of the designated SharePoint group. You can add multiple criteria.

3. If violations are identified, take the following action to automatically fix the violations – Auto-fix violations is supported by this rule, enabling automatic correction of out-of-policy settings when violations are identified.

   • Add these users to the designated SharePoint groups if they are not already members – Select this checkbox if you want to automatically add users to the designated SharePoint groups once they are found missing from the groups.

   • Remove other existing users from the designated SharePoint groups – Select this checkbox if you want to automatically remove any users not explicitly listed from the designated SharePoint groups. This action will ensure only the defined users exist in the designated SharePoint groups.

   • Remove these users from other SharePoint groups that they belong to – Select this checkbox if you want to automatically remove the users from all other SharePoint groups. This action will limit their membership to the specified SharePoint groups only.

   • Move the site owners who are no longer the primary or secondary contact to the site members group – Select this option if you want to automatically move site owners from the site owners group to the site members group once they are found not the site’s primary or secondary contact.

4. Send email notifications of the violations to the following users – Choose whether to send email notifications to admins/end users when violations are identified. After enabling the setting, you need to designate recipients and select the appropriate email template.

#Scan External Users

Use this rule to scan external users in sites where external sharing is disabled.

Refer to the following information for the detailed rule settings:

1. Add a filter to this rule – Filter is supported by this rule, allowing you to apply this rule only to the objects that meet the defined filter conditions. From the drop-down list, select an existing filter or click New to open the Create filter panel to create a new filter. After selecting a filter, click View details to view its configuration.

   Note that applying a filter directly to a rule takes precedence over any filter set at the policy level. Consequently, only the filter assigned to the rule will be used when evaluating conditions for objects.

2. If violations are identified, take the following action to automatically fix the violations – Auto-fix violations is supported by this rule, enabling automatic correction of out-of-policy settings when violations are identified.

   • Remove the out-of-policy users from sites – Select this checkbox if you want to automatically remove the external users from the site once they are identified as non-compliant.

3. Send email notifications of the violations to the following users – Choose whether to send email notifications to admins/end users when violations are identified. After enabling the setting, you need to designate recipients and select the appropriate email template.

4. Independent scan interval – Independent scan interval is supported for this rule, allowing you to set an independent scan interval for the Enforce policy job. When enabled, this rule-specific scan interval takes precedence over the general schedule set at the policy level.

   For policies containing this rule, the Enforce policy job may require considerable time to complete, particularly in larger Microsoft 365 environments. To help optimize performance, we recommend that you set a lower frequency for this rule.

   • Scan interval – Enter a positive integer and select a time unit (Hours, Days, Weeks, or Months). Policies for Microsoft 365 will start Enforce policy jobs to scan your Microsoft 365 environment according to the configured interval.

   • Scan start time – When the scan interval is set to Days, Weeks, or Months, the Scan start time setting will appear below for you to specify the exact timing of job executions.

     • For daily scans, you need to set a specific time. The job will start daily at the defined time.

     • For weekly scans, you need to select a weekday (Monday to Sunday) and set a specific time. The job will start weekly at the defined date and time.

     • For monthly scans, you need to select a calendar date and time. The job will start monthly at the defined date and time.

#Scan Orphaned Users

Use this rule to scan users or groups that have been deleted or blocked in your Microsoft Entra ID.

Refer to the following information for the detailed rule settings:

1. Add a filter to this rule – Filter is supported by this rule, allowing you to apply this rule only to the objects that meet the defined filter conditions. From the drop-down list, select an existing filter or click New to open the Create filter panel to create a new filter. After selecting a filter, click View details to view its configuration.

   Note that applying a filter directly to a rule takes precedence over any filter set at the policy level. Consequently, only the filter assigned to the rule will be used when evaluating conditions for objects.

2. Select the rule settings that you want to use:

   • Scan users who have been blocked in Microsoft Entra ID – Select this rule setting if you want to scan users who have been blocked (disabled for sign-in) in Microsoft Entra ID.

   • Scan users who have been deleted from Microsoft Entra ID – Select this rule setting if you want to scan users who have been deleted from Microsoft Entra ID.

   • Scan groups that have been deleted from Microsoft Entra ID – Select this rule setting if you want to scan groups that have been deleted from Microsoft Entra ID.

3. If violations are identified, take the following action to automatically fix the violations – Auto-fix violations is supported by this rule, enabling automatic correction of out-of-policy settings when violations are identified.

   • Remove the out-of-policy users/groups from sites – Select this checkbox if you want to automatically remove the orphaned users/groups from the site once they are identified as non-compliant.

     • Before removal, enforce a new primary admin if the orphaned user is the primary admin – To prevent a site from losing its primary admin, select this checkbox and then select a new primary admin from: primary contact, secondary contact, or a specific user. If the user to be removed is the site's primary admin, Policies for Microsoft 365 will first assign a new primary admin.

4. Send email notifications of the violations to the following users – Choose whether to send email notifications to admins/end users when violations are identified. After enabling the setting, you need to designate recipients and select the appropriate email template.

5. Independent scan interval – Independent scan interval is supported for this rule, allowing you to set an independent scan interval for the Enforce policy job. When enabled, this rule-specific scan interval takes precedence over the general schedule set at the policy level.

   For policies containing this rule, the Enforce policy job may require considerable time to complete, particularly in larger Microsoft 365 environments. To help optimize performance, we recommend that you set a lower frequency for this rule.

   • Scan interval – Enter a positive integer and select a time unit (Hours, Days, Weeks, or Months). Policies for Microsoft 365 will start Enforce policy jobs to scan your Microsoft 365 environment according to the configured interval.

   • Scan start time – When the scan interval is set to Days, Weeks, or Months, the Scan start time setting will appear below for you to specify the exact timing of job executions.

     • For daily scans, you need to set a specific time. The job will start daily at the defined time.

     • For weekly scans, you need to select a weekday (Monday to Sunday) and set a specific time. The job will start weekly at the defined date and time.

     • For monthly scans, you need to select a calendar date and time. The job will start monthly at the defined date and time.

#Site Collection Administrator Enforcement

Use this rule to enforce specific users and groups to be in the Site Collection Administrators group of a site and designate a primary admin.

Refer to the following information for the detailed rule settings:

1. Add a filter to this rule – Filter is supported by this rule, allowing you to apply this rule only to the objects that meet the defined filter conditions. From the drop-down list, select an existing filter or click New to open the Create filter panel to create a new filter. After selecting a filter, click View details to view its configuration.

   Note that applying a filter directly to a rule takes precedence over any filter set at the policy level. Consequently, only the filter assigned to the rule will be used when evaluating conditions for objects.

2. Select the rule settings that you want to use:

   • Enforce the following users and groups to be in the Site Collection Administrators group – To enforce specific users and groups to members of the Site Collection Administrators group, enter their names in the text box and select the target users/groups.

   • Enforce the primary contact (Cloud Governance) to be in the Site Collection Administrators group – Select this checkbox if you want to enforce the primary contact (from Cloud Governance) to be a member of the Site Collection Administrators group.

   • Enforce the secondary contact (Cloud Governance) to be in the Site Collection Administrators group – Select this checkbox if you want to enforce the secondary contact (from Cloud Governance) to be a member of the Site Collection Administrators group.

   • Designate a primary admin – Select this checkbox if you want to designate a primary admin for the site: primary contact, secondary contact, or a specific user.

3. If violations are identified, take the following action to automatically fix the violations – Auto-fix violations is supported by this rule, enabling automatic correction of out-of-policy settings when violations are identified.

   • Add specified users and groups to the Site Collection Administrators group of the site – Select this checkbox if you want to automatically add the specified users and groups to the Site Collection Administrators group of the site once they are found missing from it.

4. Send email notifications of the violations to the following users – Choose whether to send email notifications to admins/end users when violations are identified. After enabling the setting, you need to designate recipients and select the appropriate email template.

#Site Collection Administrator Restriction

Use this rule to control users and groups that are allowed to be added to the Site Collection Administrators group of a site.

Refer to the following information for the detailed rule settings:

1. Add a filter to this rule – Filter is supported by this rule, allowing you to apply this rule only to the objects that meet the defined filter conditions. From the drop-down list, select an existing filter or click New to open the Create filter panel to create a new filter. After selecting a filter, click View details to view its configuration.

   Note that applying a filter directly to a rule takes precedence over any filter set at the policy level. Consequently, only the filter assigned to the rule will be used when evaluating conditions for objects.

2. Select the rule settings that you want to use:

   • Choose who is allowed to be added to the Site Collection Administrators group of a site – Select an option:

     • Only the specified users and groups are allowed to be added to the Site Collection Administrators group – Select this option, enter user/group names in the text box, and select target users/groups. Only the specified users and groups are allowed to be added to Site Collection Administrators group of the site.

     • Include both the Microsoft Entra groups and their members – When enabled, Policies for Microsoft 365 will evaluate all individual members within the specified Microsoft Entra groups, including those in nested groups. Group membership is retrieved at the time of the scan, and actions are taken only after violations are detected. If disabled, Policies for Microsoft 365 will check for the specified Microsoft Entra groups themselves and will not monitor for the individual members.

     • Select a Defined Group – Besides specifying users/groups one by one, you can select a Defined Group. A Defined Group allows you to specify criteria with which to identify the specific users or groups to assign a rule.

     • Specified users and groups are restricted from being added to the Site Collection Administrators group – Select this option, enter user/group names in the text box, and select target users/groups. The specified users and groups are not allowed to be added to the Site Collection Administrators group of the site.

     • Include both the Microsoft Entra groups and their members – When enabled, Policies for Microsoft 365 will evaluate all individual members within the specified Microsoft Entra groups, including those in nested groups. Group membership is retrieved at the time of the scan, and actions are taken only after violations are detected. If disabled, Policies for Microsoft 365 will check for the specified Microsoft Entra groups themselves and will not monitor for the individual members.

     • Select a Defined Group – Besides specifying users/groups one by one, you can select a Defined Group. A Defined Group allows you to specify criteria with which to identify the specific users or groups to assign a rule.

   • Skip Company Administrator/SharePoint Service Administrator – Choose whether to automatically skip monitoring the Company Administrator and SharePoint Service Administrator groups.

   • Skip AOS service accounts – Choose whether to automatically skip AOS service accounts from monitoring.

   • Do not monitor the following users/groups – This setting allows you to define the users/groups to be excluded from monitoring.

   • Do not monitor users/groups in the following Defined Group – This setting allows you to exclude all users/groups of a specified Defined Group from monitoring.

3. If violations are identified, take the following action to automatically fix the violations – Auto-fix violations is supported by this rule, enabling automatic correction of out-of-policy settings when violations are identified.

   • Remove the out-of-policy users/groups from the Site Collection Administrators group – Select this checkbox if you want to automatically remove users/groups from the Site Collection Administrators group once they are identified as non-compliant.

4. Send email notifications of the violations to the following users – Choose whether to send email notifications to admins/end users when violations are identified. After enabling the setting, you need to designate recipients and select the appropriate email template.

#Site Owner Restriction

Use this rule to control users and groups that are allowed to be added to the site owners group of a site.

Refer to the following information for the detailed rule settings:

1. Add a filter to this rule – Filter is supported by this rule, allowing you to apply this rule only to the objects that meet the defined filter conditions. From the drop-down list, select an existing filter or click New to open the Create filter panel to create a new filter. After selecting a filter, click View details to view its configuration.

   Note that applying a filter directly to a rule takes precedence over any filter set at the policy level. Consequently, only the filter assigned to the rule will be used when evaluating conditions for objects.

2. Select the rule settings that you want to use:

   • Choose who is allowed to be added to the owners group of a site – Select an option:

     • Only the specified users and groups are allowed to be added to the owners group – Select this option, enter user/group names in the text box, and select target users/groups. Only the specified users and groups are allowed to be added to owners group of the site.

     • Include both the Microsoft Entra groups and their members – When enabled, Policies for Microsoft 365 will evaluate all individual members within the specified Microsoft Entra groups, including those in nested groups. Group membership is retrieved at the time of the scan, and actions are taken only after violations are detected. If disabled, Policies for Microsoft 365 will check for the specified Microsoft Entra groups themselves and will not monitor for the individual members.

     • Select a Defined Group – Besides specifying users/groups one by one, you can select a Defined Group. A Defined Group allows you to specify criteria with which to identify the specific users or groups to assign a rule.

     • Specified users and groups are restricted from being added to the owners group – Select this option, enter user/group names in the text box, and select target users/groups. The specified users and groups are not allowed to be added to owners group of the site.

     • Include both the Microsoft Entra groups and their members – When enabled, Policies for Microsoft 365 will evaluate all individual members within the specified Microsoft Entra groups, including those in nested groups. Group membership is retrieved at the time of the scan, and actions are taken only after violations are detected. If disabled, Policies for Microsoft 365 will check for the specified Microsoft Entra groups themselves and will not monitor for the individual members.

     • Select a Defined Group – Besides specifying users/groups one by one, you can select a Defined Group. A Defined Group allows you to specify criteria with which to identify the specific users or groups to assign a rule.

   • Do not monitor the following users/groups – This setting allows you to define the users/groups to be excluded from monitoring.

   • Do not monitor users/groups in the following Defined Group – This setting allows you to exclude all users/groups of a specified Defined Group from monitoring.

   • Skip Company Administrator/SharePoint Service Administrator – Choose whether to automatically skip monitoring the Company Administrator and SharePoint Service Administrator groups.

3. If violations are identified, take the following action to automatically fix the violations – Auto-fix violations is supported by this rule, enabling automatic correction of out-of-policy settings when violations are identified.

   • Remove the out-of-policy users/groups from the owners group – Select this checkbox if you want to automatically remove users/groups from the owners group once they are identified as non-compliant.

4. Send email notifications of the violations to the following users – Choose whether to send email notifications to admins/end users when violations are identified. After enabling the setting, you need to designate recipients and select the appropriate email template.

#User/Group Restriction

Use this rule to control users and groups that are allowed to be added to sites.

Refer to the following information for the detailed rule settings:

1. Add a filter to this rule – Filter is supported by this rule, allowing you to apply this rule only to the objects that meet the defined filter conditions. From the drop-down list, select an existing filter or click New to open the Create filter panel to create a new filter. After selecting a filter, click View details to view its configuration.

   Note that applying a filter directly to a rule takes precedence over any filter set at the policy level. Consequently, only the filter assigned to the rule will be used when evaluating conditions for objects.

2. Select the rule settings that you want to use:

   • Choose who is allowed to be added to sites – Select an option:

     • Only the specified users and groups are allowed to be added to sites – Select this option, enter user/group names in the text box, and select target users/groups. Only the specified users and groups are allowed to be added to the site.

     • Include both the Microsoft Entra groups and their members – When enabled, Policies for Microsoft 365 will evaluate all individual members within the specified Microsoft Entra groups, including those in nested groups. Group membership is retrieved at the time of the scan, and actions are taken only after violations are detected. If disabled, Policies for Microsoft 365 will check for the specified Microsoft Entra groups themselves and will not monitor for the individual members.

     • Select a Defined Group – Besides specifying users/groups one by one, you can select a Defined Group. A Defined Group allows you to specify criteria with which to identify the specific users or groups to assign a rule.

     • Specified users and groups are restricted from being added to sites – Select this option, enter user/group names in the text box, and select target users/groups. The specified users and groups are not allowed to be added to the site.

     • Include both the Microsoft Entra groups and their members – When enabled, Policies for Microsoft 365 will evaluate all individual members within the specified Microsoft Entra groups, including those in nested groups. Group membership is retrieved at the time of the scan, and actions are taken only after violations are detected. If disabled, Policies for Microsoft 365 will check for the specified Microsoft Entra groups themselves and will not monitor for the individual members.

     • Select a Defined Group – Besides specifying users/groups one by one, you can select a Defined Group. A Defined Group allows you to specify criteria with which to identify the specific users or groups to assign a rule.

   • Skip Company Administrator/SharePoint Service Administrator – Choose whether to automatically skip monitoring the Company Administrator and SharePoint Service Administrator groups.

   • Skip users/groups who do not have any permission to objects in sites – Choose whether to automatically skip monitoring users/groups that have not been granted any permissions to the objects within the site.

     Prerequisite: To use this setting, a subscription for Insights is required.

   • Skip users whose access requests are still pending – Choose whether to automatically skip monitoring users whose access requests are still awaiting approval.

3. If violations are identified, take the following action to automatically fix the violations – Auto-fix violations is supported by this rule, enabling automatic correction of out-of-policy settings when violations are identified.

   • Remove the out-of-policy users/groups from sites – Select this checkbox if you want to automatically remove the out-of-policy users/groups from the site once they are identified as non-compliant.

4. Send email notifications of the violations to the following users – Choose whether to send email notifications to admins/end users when violations are identified. After enabling the setting, you need to designate recipients and select the appropriate email template.

5. Independent scan interval – Independent scan interval is supported for this rule, allowing you to set an independent scan interval for the Enforce policy job. When enabled, this rule-specific scan interval takes precedence over the general schedule set at the policy level.

   For policies containing this rule, the Enforce policy job may require considerable time to complete, particularly in larger Microsoft 365 environments. To help optimize performance, we recommend that you set a lower frequency for this rule.

   • Scan interval – Enter a positive integer and select a time unit (Hours, Days, Weeks, or Months). Policies for Microsoft 365 will start Enforce policy jobs to scan your Microsoft 365 environment according to the configured interval.

   • Scan start time – When the scan interval is set to Days, Weeks, or Months, the Scan start time setting will appear below for you to specify the exact timing of job executions.

     • For daily scans, you need to set a specific time. The job will start daily at the defined time.

     • For weekly scans, you need to select a weekday (Monday to Sunday) and set a specific time. The job will start weekly at the defined date and time.

     • For monthly scans, you need to select a calendar date and time. The job will start monthly at the defined date and time.

#OneDrive

The following rules operate identically to those under the SharePoint sites object type. For detailed rule configurations, refer to SharePoint Sites.

• Access Requests Settings

• Content Creation and Upload Restriction

• Pre-defined Group Members (Cloud Governance)

• Scan Orphaned Users

• Scan External Users

• Site Collection Administrator Enforcement

• Site Collection Administrator Restriction

• Site Owner Restriction

• User/Group Restriction

#Microsoft 365 Groups

Refer to the following sections for the detailed rule configurations.

#Groups

For the Microsoft 365 Groups/Teams object type, the following rules apply to Microsoft 365 Groups or Teams themselves.

#Membership Restriction

Use this rule to control users who are allowed to be added to Microsoft 365 Groups as members.

Refer to the following information for the detailed rule settings:

1. Add a filter to this rule – Filter is supported by this rule, allowing you to apply this rule only to the objects that meet the defined filter conditions. From the drop-down list, select an existing filter or click New to open the Create filter panel to create a new filter. After selecting a filter, click View details to view its configuration.

   Note that applying a filter directly to a rule takes precedence over any filter set at the policy level. Consequently, only the filter assigned to the rule will be used when evaluating conditions for objects.

2. Choose who is allowed to be added to Microsoft 365 Groups as members:

   • Only the specified users are allowed to be added as members– Select this option, enter usernames in the text box, and select target users. Only the specified users are allowed to be added to the Microsoft 365 Groups as members.

     Select a Defined Group – Besides specifying users one by one, you can select a Defined Group. A Defined Group allows you to specify criteria with which to identify the specific users to assign a rule.

   • Specified users are restricted from being added as members– Select this option, enter usernames in the text box, and select target users. The specified users are not allowed to be added to the Microsoft 365 Groups as members.

     Select a Defined Group – Besides specifying users one by one, you can select a Defined Group. A Defined Group allows you to specify criteria with which to identify the specific users to assign a rule.

3. If violations are identified, take the following action to automatically fix the violations – Auto-fix violations is supported by this rule, enabling automatic correction of out-of-policy settings when violations are identified.

   • Remove the out-of-policy users – Select this checkbox if you want to automatically remove the users from the Microsoft 365 Groups once they are identified as non-compliant.

4. Send email notifications of the violations to the following users – Choose whether to send email notifications to admins/end users when violations are identified. After enabling the setting, you need to designate recipients and select the appropriate email template.

#Microsoft 365 Group Visibility in Outlook Client

Use this rule to control if a Microsoft 365 Group should be visible in the Outlook client and the global address list.

Refer to the following information for the detailed rule settings:

1. Add a filter to this rule – Filter is supported by this rule, allowing you to apply this rule only to the objects that meet the defined filter conditions. From the drop-down list, select an existing filter or click New to open the Create filter panel to create a new filter. After selecting a filter, click View details to view its configuration.

   Note that applying a filter directly to a rule takes precedence over any filter set at the policy level. Consequently, only the filter assigned to the rule will be used when evaluating conditions for objects.

2. Configure rule settings:

   • Choose the Microsoft 365 Group visibility in the Outlook client – Choose the visibility of the Microsoft 365 Group in the Outlook client, either Visible or Hidden.

   • Choose the Microsoft 365 Group visibility in the global address list – Choose the visibility of the Microsoft 365 Group in the global address list, either Visible or Hidden.

3. If violations are identified, take the following action to automatically fix the violations – Auto-fix violations is supported by this rule, enabling automatic correction of out-of-policy settings when violations are identified.

   • Reset visibility of the Microsoft 365 Group – Select this checkbox if you want to automatically reset the Microsoft 365 Group’s visibility to the configured rule settings once it is identified as non-compliant.

4. Send email notifications of the violations to the following users – Choose whether to send email notifications to admins/end users when violations are identified. After enabling the setting, you need to designate recipients and select the appropriate email template.

#Owner Number Restriction

Use this rule to control the number of owners in Microsoft 365 Groups.

Refer to the following information for the detailed rule settings:

1. Add a filter to this rule – Filter is supported by this rule, allowing you to apply this rule only to the objects that meet the defined filter conditions. From the drop-down list, select an existing filter or click New to open the Create filter panel to create a new filter. After selecting a filter, click View details to view its configuration.

   Note that applying a filter directly to a rule takes precedence over any filter set at the policy level. Consequently, only the filter assigned to the rule will be used when evaluating conditions for objects.

2. Configure rule settings:

   • The number of owners must be – Select a condition from the following options: Exactly, Less than, More than, and Within, and then specify the corresponding number.

   • Only monitor users who are not blocked from sign-in – If this checkbox is selected, users who are blocked from signing in will not be monitored and counted into the owner number.

3. If violations are identified, take the following action to automatically fix the violations – Auto-fix violations is supported by this rule, enabling automatic correction of out-of-policy settings when violations are identified.

   • Add users as owners until the required owner number is met – Select this checkbox if you want to automatically add users as owners until the required owner number is met. Choose one of the following methods: Randomly promote members of the Group/Team to owners or Enforce specific users to be owners.

4. Send email notifications of the violations to the following users – Choose whether to send email notifications to admins/end users when violations are identified. After enabling the setting, you need to designate recipients and select the appropriate email template.

5. Independent scan interval – Independent scan interval is supported for this rule, allowing you to set an independent scan interval for the Enforce policy job. When enabled, this rule-specific scan interval takes precedence over the general schedule set at the policy level.

   For policies containing this rule, the Enforce policy job may require considerable time to complete, particularly in larger Microsoft 365 environments. To help optimize performance, we recommend that you set a lower frequency for this rule.

   • Scan interval – Enter a positive integer and select a time unit (Hours, Days, Weeks, or Months). Policies for Microsoft 365 will start Enforce policy jobs to scan your Microsoft 365 environment according to the configured interval.

   • Scan start time – When the scan interval is set to Days, Weeks, or Months, the Scan start time setting will appear below for you to specify the exact timing of job executions.

     • For daily scans, you need to set a specific time. The job will start daily at the defined time.

     • For weekly scans, you need to select a weekday (Monday to Sunday) and set a specific time. The job will start weekly at the defined date and time.

     • For monthly scans, you need to select a calendar date and time. The job will start monthly at the defined date and time.

#Privacy Restriction

Use this rule to control the privacy of Microsoft 365 Groups.

Refer to the following information for the detailed rule settings:

1. Add a filter to this rule – Filter is supported by this rule, allowing you to apply this rule only to the objects that meet the defined filter conditions. From the drop-down list, select an existing filter or click New to open the Create filter panel to create a new filter. After selecting a filter, click View details to view its configuration.

   Note that applying a filter directly to a rule takes precedence over any filter set at the policy level. Consequently, only the filter assigned to the rule will be used when evaluating conditions for objects.

2. The privacy must be – Set the required privacy state for the Microsoft 365 Groups, either Public or Private.

3. If violations are identified, take the following action to automatically fix the violations – Auto-fix violations is supported by this rule, enabling automatic correction of out-of-policy settings when violations are identified.

   • Reset privacy settings – Select this checkbox if you want to automatically reset the Microsoft 365 Group’s privacy settings to the configured rule settings once they are identified as non-compliant.

4. Send email notifications of the violations to the following users – Choose whether to send email notifications to admins/end users when violations are identified. After enabling the setting, you need to designate recipients and select the appropriate email template.

5. Independent scan interval – Independent scan interval is supported for this rule, allowing you to set an independent scan interval for the Enforce policy job. When enabled, this rule-specific scan interval takes precedence over the general schedule set at the policy level.

   For policies containing this rule, the Enforce policy job may require considerable time to complete, particularly in larger Microsoft 365 environments. To help optimize performance, we recommend that you set a lower frequency for this rule.

   • Scan interval – Enter a positive integer and select a time unit (Hours, Days, Weeks, or Months). Policies for Microsoft 365 will start Enforce policy jobs to scan your Microsoft 365 environment according to the configured interval.

   • Scan start time – When the scan interval is set to Days, Weeks, or Months, the Scan start time setting will appear below for you to specify the exact timing of job executions.

     • For daily scans, you need to set a specific time. The job will start daily at the defined time.

     • For weekly scans, you need to select a weekday (Monday to Sunday) and set a specific time. The job will start weekly at the defined date and time.

     • For monthly scans, you need to select a calendar date and time. The job will start monthly at the defined date and time.

#Group Team Sites

For the Microsoft 365 Groups/Teams object type, the following rules apply specifically to group team sites, rather than to Microsoft 365 Groups or Teams themselves.

As these rules operate identically to those under the SharePoint sites object type, for detailed rule configurations, refer to SharePoint Sites.

• Access Requests Settings

• Content Creation and Upload Restriction

• External Sharing Settings

• Permission Inheritance Protection

• Pre-defined Group Members (Cloud Governance)

• Remove Shadow Users

• Scan Orphaned Users

• Scan External Users

• Site Collection Administrator Enforcement

• Site Collection Administrator Restriction

• Site Owner Restriction

• User/Group Restriction

#Microsoft Teams

Refer to the following sections for the detailed rule configurations.

#Teams

For the Microsoft 365 Groups/Teams object type, the following rules apply to Microsoft 365 Groups or Teams themselves.

#Membership Restriction

Use this rule to control users who are allowed to be added to Teams as members.

Refer to the following information for the detailed rule settings:

1. Add a filter to this rule – Filter is supported by this rule, allowing you to apply this rule only to the objects that meet the defined filter conditions. From the drop-down list, select an existing filter or click New to open the Create filter panel to create a new filter. After selecting a filter, click View details to view its configuration.

   Note that applying a filter directly to a rule takes precedence over any filter set at the policy level. Consequently, only the filter assigned to the rule will be used when evaluating conditions for objects.

2. Choose who is allowed to be added to Teams as members:

   • Only the specified users are allowed to be added as members– Select this option, enter usernames in the text box, and select target users. Only the specified users are allowed to be added to the Teams as members.

     Select a Defined Group – Besides specifying users one by one, you can select a Defined Group. A Defined Group allows you to specify criteria with which to identify the specific users to assign a rule.

   • Specified users are restricted from being added as members– Select this option, enter usernames in the text box, and select target users. The specified users are not allowed to be added to the Teams as members.

     Select a Defined Group – Besides specifying users one by one, you can select a Defined Group. A Defined Group allows you to specify criteria with which to identify the specific users to assign a rule.

3. If violations are identified, take the following action to automatically fix the violations – Auto-fix violations is supported by this rule, enabling automatic correction of out-of-policy settings when violations are identified.

   • Remove the out-of-policy users – Select this checkbox if you want to automatically remove the users from the Teams once they are identified as non-compliant.

4. Send email notifications of the violations to the following users – Choose whether to send email notifications to admins/end users when violations are identified. After enabling the setting, you need to designate recipients and select the appropriate email template.

#Microsoft 365 Group Visibility in Outlook Client

Use this rule to control if a Microsoft 365 Group should be visible in the Outlook client and the global address list.

Refer to the following information for the detailed rule settings:

1. Add a filter to this rule – Filter is supported by this rule, allowing you to apply this rule only to the objects that meet the defined filter conditions. From the drop-down list, select an existing filter or click New to open the Create filter panel to create a new filter. After selecting a filter, click View details to view its configuration.

   Note that applying a filter directly to a rule takes precedence over any filter set at the policy level. Consequently, only the filter assigned to the rule will be used when evaluating conditions for objects.

2. Configure rule settings:

   • Choose the Microsoft 365 Group visibility in the Outlook client – Choose the visibility of the Microsoft 365 Group in the Outlook client, either Visible or Hidden.

   • Choose the Microsoft 365 Group visibility in the global address list – Choose the visibility of the Microsoft 365 Group in the global address list, either Visible or Hidden.

3. If violations are identified, take the following action to automatically fix the violations – Auto-fix violations is supported by this rule, enabling automatic correction of out-of-policy settings when violations are identified.

   • Reset visibility of the Microsoft 365 Group – Select this checkbox if you want to automatically reset the Microsoft 365 Group’s visibility to the configured rule settings once it is identified as non-compliant.

4. Send email notifications of the violations to the following users – Choose whether to send email notifications to admins/end users when violations are identified. After enabling the setting, you need to designate recipients and select the appropriate email template.

#Owner Number Restriction

Use this rule to control the number of owners in Teams.

Refer to the following information for the detailed rule settings:

1. Add a filter to this rule – Filter is supported by this rule, allowing you to apply this rule only to the objects that meet the defined filter conditions. From the drop-down list, select an existing filter or click New to open the Create filter panel to create a new filter. After selecting a filter, click View details to view its configuration.

   Note that applying a filter directly to a rule takes precedence over any filter set at the policy level. Consequently, only the filter assigned to the rule will be used when evaluating conditions for objects.

2. Configure rule settings:

   • The number of owners must be – Select a condition from the following options: Exactly, Less than, More than, and Within, and then specify the corresponding number.

   • Only monitor users who are not blocked from sign-in – If this checkbox is selected, users who are blocked from signing in will not be monitored and counted into the owner number.

3. If violations are identified, take the following action to automatically fix the violations – Auto-fix violations is supported by this rule, enabling automatic correction of out-of-policy settings when violations are identified.

   • Add users as owners until the required owner number is met – Select this checkbox if you want to automatically add users as owners until the required owner number is met. Choose one of the following methods: Randomly promote members of the Group/Team to owners or Enforce specific users to be owners.

4. Send email notifications of the violations to the following users – Choose whether to send email notifications to admins/end users when violations are identified. After enabling the setting, you need to designate recipients and select the appropriate email template.

5. Independent scan interval – Independent scan interval is supported for this rule, allowing you to set an independent scan interval for the Enforce policy job. When enabled, this rule-specific scan interval takes precedence over the general schedule set at the policy level.

   For policies containing this rule, the Enforce policy job may require considerable time to complete, particularly in larger Microsoft 365 environments. To help optimize performance, we recommend that you set a lower frequency for this rule.

   • Scan interval – Enter a positive integer and select a time unit (Hours, Days, Weeks, or Months). Policies for Microsoft 365 will start Enforce policy jobs to scan your Microsoft 365 environment according to the configured interval.

   • Scan start time – When the scan interval is set to Days, Weeks, or Months, the Scan start time setting will appear below for you to specify the exact timing of job executions.

     • For daily scans, you need to set a specific time. The job will start daily at the defined time.

     • For weekly scans, you need to select a weekday (Monday to Sunday) and set a specific time. The job will start weekly at the defined date and time.

     • For monthly scans, you need to select a calendar date and time. The job will start monthly at the defined date and time.

#Privacy Restriction

Use this rule to control the privacy of Teams.

Refer to the following information for the detailed rule settings:

1. Add a filter to this rule – Filter is supported by this rule, allowing you to apply this rule only to the objects that meet the defined filter conditions. From the drop-down list, select an existing filter or click New to open the Create filter panel to create a new filter. After selecting a filter, click View details to view its configuration.

   Note that applying a filter directly to a rule takes precedence over any filter set at the policy level. Consequently, only the filter assigned to the rule will be used when evaluating conditions for objects.

2. The privacy must be – Set the required privacy state for the Teams, either Public or Private.

3. If violations are identified, take the following action to automatically fix the violations – Auto-fix violations is supported by this rule, enabling automatic correction of out-of-policy settings when violations are identified.

   • Reset privacy settings – Select this checkbox if you want to automatically reset the Teams’ privacy settings to the configured rule settings once they are identified as non-compliant.

4. Send email notifications of the violations to the following users – Choose whether to send email notifications to admins/end users when violations are identified. After enabling the setting, you need to designate recipients and select the appropriate email template.

5. Independent scan interval – Independent scan interval is supported for this rule, allowing you to set an independent scan interval for the Enforce policy job. When enabled, this rule-specific scan interval takes precedence over the general schedule set at the policy level.

   For policies containing this rule, the Enforce policy job may require considerable time to complete, particularly in larger Microsoft 365 environments. To help optimize performance, we recommend that you set a lower frequency for this rule.

   • Scan interval – Enter a positive integer and select a time unit (Hours, Days, Weeks, or Months). Policies for Microsoft 365 will start Enforce policy jobs to scan your Microsoft 365 environment according to the configured interval.

   • Scan start time – When the scan interval is set to Days, Weeks, or Months, the Scan start time setting will appear below for you to specify the exact timing of job executions.

     • For daily scans, you need to set a specific time. The job will start daily at the defined time.

     • For weekly scans, you need to select a weekday (Monday to Sunday) and set a specific time. The job will start weekly at the defined date and time.

     • For monthly scans, you need to select a calendar date and time. The job will start monthly at the defined date and time.

#Teams Settings Enforcement

Use this rule to enforce certain Teams settings.

Refer to the following information for the detailed rule settings:

1. Add a filter to this rule – Filter is supported by this rule, allowing you to apply this rule only to the objects that meet the defined filter conditions. From the drop-down list, select an existing filter or click New to open the Create filter panel to create a new filter. After selecting a filter, click View details to view its configuration.

   Note that applying a filter directly to a rule takes precedence over any filter set at the policy level. Consequently, only the filter assigned to the rule will be used when evaluating conditions for objects.

2. Select the Teams settings that you want to manage through this rule, and then configure each setting by enabling or disabling it as required.

   • Member permissions

     • Allow members to create and update channels

     • Allow members to create private channels

     • Allow members to delete and restore channels

     • Allow members to add and remove apps

     • Allow members to create, update, and remove tabs

     • Allow members to create, update, and remove connectors

     • Give members the option to delete their messages

     • Give members the option to edit their messages

   • Guest permissions

     • Allow guests to create and update channels

     • Allow guests to delete channels

   • Message permissions

     • Team owners can delete sent messages

3. If violations are identified, take the following action to automatically fix the violations – Auto-fix violations is supported by this rule, enabling automatic correction of out-of-policy settings when violations are identified.

   • Reset Teams settings – Select this checkbox if you want to automatically reset Teams settings to the configured rule settings once they are identified as non-compliant.

4. Send email notifications of the violations to the following users – Choose whether to send email notifications to admins/end users when violations are identified. After enabling the setting, you need to designate recipients and select the appropriate email template.

#Group Team Sites

For the Microsoft 365 Groups/Teams object type, the following rules apply specifically to group team sites, rather than to Microsoft 365 Groups or Teams themselves.

As these rules operate identically to those under the SharePoint sites object type, for detailed rule configurations, refer to SharePoint Sites.

• Access Requests Settings

• Content Creation and Upload Restriction

• External Sharing Settings

• Permission Inheritance Protection

• Pre-defined Group Members (Cloud Governance)

• Remove Shadow Users

• Scan Orphaned Users

• Scan External Users

• Site Collection Administrator Enforcement

• Site Collection Administrator Restriction

• Site Owner Restriction

• User/Group Restriction

#Security and Distribution Groups

Refer to the following sections for the detailed rule configurations.

#Membership Restriction

Use this rule to control users who are allowed to be added to security groups and distribution lists as members.

Refer to the following information for the detailed rule settings:

1. Choose who is allowed to be added to security groups and distribution lists as members:

   • Only the specified users are allowed to be added as members– Select this option, enter usernames in the text box, and select target users. Only the specified users are allowed to be added to the security groups and distribution lists as members.

     Select a Defined Group – Besides specifying users one by one, you can select a Defined Group. A Defined Group allows you to specify criteria with which to identify the specific users to assign a rule.

   • Specified users are restricted from being added as members– Select this option, enter usernames in the text box, and select target users. The specified users are not allowed to be added to the security groups and distribution lists as members.

     Select a Defined Group – Besides specifying users one by one, you can select a Defined Group. A Defined Group allows you to specify criteria with which to identify the specific users to assign a rule.

2. If violations are identified, take the following action to automatically fix the violations – Auto-fix violations is supported by this rule, enabling automatic correction of out-of-policy settings when violations are identified.

   • Remove the out-of-policy users – Select this checkbox if you want to automatically remove the users from the security groups and distribution lists once they are identified as non-compliant.

3. Send email notifications of the violations to the following users – Choose whether to send email notifications to admins/end users when violations are identified. After enabling the setting, you need to designate recipients and select the appropriate email template.

#Owner Number Restriction

Use this rule to control the number of owners in security groups and distribution lists.

Refer to the following information for the detailed rule settings:

1. Configure rule settings:

   • The number of owners must be – Select a condition from the following options: Exactly, Less than, More than, and Within, and then specify the corresponding number.

   • Only monitor users who are not blocked from sign-in – If this checkbox is selected, users who are blocked from signing in will not be monitored and counted into the owner number.

2. Send email notifications of the violations to the following users – Choose whether to send email notifications to admins/end users when violations are identified. After enabling the setting, you need to designate recipients and select the appropriate email template.

3. Independent scan interval – Independent scan interval is supported for this rule, allowing you to set an independent scan interval for the Enforce policy job. When enabled, this rule-specific scan interval takes precedence over the general schedule set at the policy level.

   For policies containing this rule, the Enforce policy job may require considerable time to complete, particularly in larger Microsoft 365 environments. To help optimize performance, we recommend that you set a lower frequency for this rule.

   • Scan interval – Enter a positive integer and select a time unit (Hours, Days, Weeks, or Months). Policies for Microsoft 365 will start Enforce policy jobs to scan your Microsoft 365 environment according to the configured interval.

   • Scan start time – When the scan interval is set to Days, Weeks, or Months, the Scan start time setting will appear below for you to specify the exact timing of job executions.

     • For daily scans, you need to set a specific time. The job will start daily at the defined time.

     • For weekly scans, you need to select a weekday (Monday to Sunday) and set a specific time. The job will start weekly at the defined date and time.

     • For monthly scans, you need to select a calendar date and time. The job will start monthly at the defined date and time.