Safe Links examines emails, Teams messages, and Office 365 apps for malicious links. It scans and alters URLs in incoming emails and verifies links at the time of clicking.

By default, there is no existing default Safe Links policy. The security policy preset, “Built-in protection,” ensures Safe Links protection for email messages, Microsoft Teams, and files within supported Office apps.

Safe Links protection through Safe Links policies is accessible in the following locations:

  • Email messages:

    • Safe Links protection for links embedded in email messages.

  • Microsoft Teams:

    • Safe Links protection for links within Teams conversations, group chats, or originating from channels.

  • Office apps:

    • Safe Links protection for supported Office desktop, mobile, and web applications.

You configure Safe Links policies in the Microsoft Security portal or in Exchange Online PowerShell with the New-SafeLinksPolicy cmdlet.

In this article, we will use the Microsoft Security portal for the configuration.

  1. Go to the Safe links Policies in the Microsoft Security portal.

  2. Click on ‘Create’.

  3. Specify a policy name such as TENANTSHORT - Safe links policy.

  4. Under ‘Users and Domains’, select the users, groups, and/or domains you want to include (In my case, I chose the default tenant domain).

    • If desired, exclude groups such as Microsoft 365 groups or mail-enabled security groups.

  5. Under ‘URL & click protection settings’ you can set your URL and click protection settings for Email, Teams and Office 365 Apps

    • Email:

      • Safe Links checks a list of known, malicious links when users click links in email. URLs are rewritten by default (recommended value: $true).

      • Apply Safe Links to email messages sent within the organization (recommended value: $true).

      • Apply real-time URL scanning for suspicious links and links that point to files (recommended value: $true).

      • Wait for URL scanning to complete before delivering the message (recommended value: $true).

      • Do not rewrite URLs, do checks via Safe Links API only (recommended value: $false).

      • Do not rewrite the following URLs in email (recommended value: none).

        • URLs in the “Don’t rewrite the following URLs” list bypass Safe Links scanning. Report it as “Should not have been blocked (False positive)” and choose “Allow this URL” to prevent Safe Links from scanning during mail flow and at the time of click. This adds the URL to the Tenant Allow/Block List.

      • Rewrite URLs example:

        IMAGE

      • Do not rewrite URLs example:

        IMAGE

    • Teams:

      • Safe Links checks a list of known, malicious links when users click links in Microsoft Teams. URLs are not rewritten (recommended value: $true).
        • This setting may require up to 24 hours to become effective. It influences the functionality of time-of-click protection.

    • Office 365 apps:

      • Safe Links checks a list of known, malicious links when users click links in Microsoft Office apps. URLs are not rewritten (recommended value: $true).
        • Safe Links is supported in Office 365 desktop and mobile (iOS and Android) apps.

    • Track user clicks:

      • Let users click through to the original URL (recommended value: $false).
        • This disables the option to prevent users from clicking through to the original URL in warning pages.
      • Display the organization branding on notification and warning pages (recommended value: none).

    • Notification:

      • Use custom notification text (recommended value: none).

  6. Save you new Safe links policy

NOTE: Allow up to 6 hours for a new or updated policy to be applied.

Reference