Attackers can often gain access to sensitive information, compromise systems or launch ransomware attacks by tricking users into downloading malicious documents or attachments. This can lead to data breaches, financial losses, and damage to your organization's reputation.

Safe Documents is a premium feature designed to provide an additional layer of security by blocking the opening of potentially malicious documents. It uses the Microsoft Defender Advanced Threat Protection cloud.

When the user attempts to open a document, Safe Documents scans the document using real time scanning and advanced threat detection mechanisms. If it is considered safe, the document can be opened directly without going through the protected view. If the document is flagged as potentially malicious, it will be blocked from opening and the user will be notified of the security concern.

Safe Documents is controlled by the service plan Office 365 SafeDocs. This service plan is available in:
- Microsoft 365 A5/E5/F5/G5
- Microsoft 365 A5/E5/F5/G5 Security
Safe Documents is not included in Microsoft Defender for Office 365 licensing plans.
Users must be licensed for Microsoft 365 E5 or Microsoft 365 E5 Security and must be signed in on their devices for protection to be in place.

In the Set section, you can configure one of the following options when you apply the setting:

  • DisabledDisables Safe Documents
  • Enabled: Enables Safe Documents. Users will not be able to open files identified as malicious.
  • Do not modify (Ignore): We will not monitor nor attempt to modify the organization’s Safe Documents setting. We recommend using this if you prefer using a customized policy in Defender, so Office Protect does not overwrite your customization.


Safe Documents setting is available in the Microsoft 365 Defender Security portal, in Policies & rules - Threat policies - Safe Attachments - Global settings

Operation to look for in the Unified Audit Logs: Set-AtpPolicyForO365

Microsoft’s Documentation on Safe Documents:

Details on how Microsoft Defender for Endpoint handles your data: