Microsoft 365 PDP

You can set up post-delivery protection (PDP) for your Microsoft 365 users to protect them from malicious messages.

PDP includes the auto search and remediate feature, which searches your users' Microsoft 365 mailboxes to identify and quarantine messages that become malicious after they're delivered.

It also includes the on-demand clawback feature, which lets you manually claw back messages that you previously delivered to one or more Microsoft 365 mailboxes.

You can watch the following video to learn how to configure these features and how they work.

Accept Microsoft pop-ups

When you set up post-delivery protection, you must give permission for Sophos applications to access your Microsoft 365 domains.

To do this, your browser must accept pop-ups during the setup process. You might have to turn off pop-up blockers or add exceptions for Microsoft 365 domains.

You must also be able to sign in to the correct domain. If your browser has stored sign-in credentials for a different domain, use an incognito or private browsing window.

Set up post-delivery protection

Set up post-delivery protection by connecting your Microsoft 365 Gateway or Mailflow domain and granting the required permissions. This lets Sophos Email scan delivered messages, remove malicious content, and perform clawback actions.

Show me how to set up post-delivery protection for Sophos Gateway

Show me how to set up post-delivery protection for Sophos Mailflow

To set up your domains, do as follows:

Click the General Settings icon , scroll down to the Email Domain Setup section, and click Gateway Domain Settings/Status or M365 Mailflow Domain Settings/Status.

Tip

Alternatively, go to My Products > Email Security > Settings. Under Email Domain Setup, click Gateway Domain Settings/Status or M365 Mailflow Domain Settings/Status.

Gateway Domains settings/status or M365 Mailflow Domain Settings/Status opens with a list of your domains.
Under Post-Delivery, hover over the status and click the Connect icon for the domain you want to connect.

Note

Sophos Central normally detects the email service for your domain automatically. If it can't detect the service, it displays a dialog asking you to select between Microsoft 365 and Google Workspace. Select Microsoft M365 to continue with these steps.

Note

Each time you connect a domain to post-delivery protection, you must read and accept the terms and conditions of use.

You'll normally see two permission request pop-ups. One for the Sophos master application and another for API access. If someone has already granted permissions, you may only see one Microsoft pop-up.
Review the pop-ups, grant consent to Sophos, and accept the requests.

This allows Sophos to access your Microsoft 365 domain.
If you can't connect to your domain, you may see one of the following error messages.
- Failed to establish session: session has timed out.
- Failed to create connection: consent for API access wasn't granted.
- Failed to create connection: consent for data access wasn't granted.
- Failed to create connection: the domains in Sophos Email don't match the domains in the Microsoft 365 domain.
- Failed to create connection: (reason not specified).
Resolve the issue, then try connecting again.

Note

Post-delivery protection won't work unless you grant these permissions.
After the permissions are granted, click Continue.

Setting up the connection starts. This may take a few minutes.
When setting up the connection is completed, click Close.

Your domain is now connected to post-delivery protection.
Turn on post-delivery protection features.
1. Click Configure Post Delivery.
2. Turn on Auto search and remediate.
3. Turn on Remove emails containing malicious URLs and Remove emails containing malware.
4. Turn on On demand clawback.
Click Save.

Sophos Email now scans your users' Microsoft 365 inboxes and quarantines malicious messages. You can see, delete, and release malicious messages in My Products > Email Security > Quarantined Messages > Post delivery quarantine.

Manage Microsoft 365 connections

In Gateway Domains settings/status or M365 Mailflow Domain Settings/Status, you can manage your Microsoft 365 domains and view their connection status.

To open this view, click the General Settings icon General Settings icon. , scroll down to the Email Domain Setup section, and click Gateway Domain Settings/Status or M365 Mailflow Domain Settings/Status.

Alternatively, you can go to My Products > Email Security > Settings. Under Email Domain Setup, click Gateway Domain Settings/Status or M365 Mailflow Domain Settings/Status.

From there, you can view the connection status of your Microsoft 365 domains. You can connect or disconnect domains from post-delivery protection, edit their settings, or remove them as needed.

Note

Sophos Central may reuse an existing Microsoft 365 authorization when multiple domains belong to the same domain. If it can't detect the email service automatically, it may prompt you to select between Microsoft 365 and Google Workspace.

Manage quarantined messages

Auto search and remediate looks for messages in your users' inboxes that become malicious after delivery and retracts them from inboxes into PDP quarantine. With On demand clawback, you can manually claw back messages that have already been delivered to recipients, retracting the messages into PDP quarantine. See On-demand clawback.

You can watch the following video for an overview of on-demand clawback, including how to configure it and how it works.

For more information, see On-demand clawback.

You can find quarantined messages from Microsoft 365 users in Email Security Dashboard > Quarantined Messages > Post delivery quarantine. For more information, see Post-delivery quarantine message details.

Reports

Reports are available in Reports > Post delivery summary.

For more information, see Post-delivery summary report.