1. Strict preset
Highest precedence for included recipients. Microsoft-managed settings cannot be edited. Strict generally blocks click-through and protects internal messages; use for priority/high-risk cohorts with client and support readiness.
Email rewriting, Teams and Office click checks, policy precedence, exclusions, and evidence
Design multichannel URL protection that follows the user and the destination. Determine which Safe Links policy actually applies, protect internal and external email, enable time-of-click checks for Teams and supported Office apps, restrict click-through, govern tracking and privacy, keep exclusion lists narrow, use Advanced Delivery for approved simulations, and validate behavior with real clients and evidence.

Operating objective
Safe Links is licensed Microsoft Defender for Office 365 protection for URLs in email, Microsoft Teams, and supported Office 365 applications. In email, Safe Links can rewrite URLs and evaluate them during mail flow and at click. In Teams and Office apps, Microsoft describes time-of-click checks without URL rewriting. A single “enabled” screenshot therefore does not prove consistent coverage across workloads, recipients, message direction, clients, or exception paths.
There is no ordinary default Safe Links policy. The Built-in protection preset provides Safe Links coverage to recipients not already protected by Strict, Standard, evaluation, or custom Safe Links policies, unless excluded. Microsoft recommends Standard and/or Strict preset protection for broad deployment instead of unnecessary custom-policy sprawl. Effective settings follow precedence, not the last policy edited.
Design must connect policy scope to client behavior, URL rewriting mode, internal-message coverage, real-time scanning, file-link scanning, delivery-time waiting, Teams/Office toggles, click tracking, click-through, URL exclusions, notifications/warning pages, incident investigation, and user reporting. Safe Links is one layer; it does not replace sender authentication, endpoint protection, Safe Attachments, application control, conditional access, or user verification.
Control statement: Before changing URL rewriting, click-through, tracking, internal-message scope, Teams/Office protection, or an exclusion, record the effective recipient cohort, business use case, risk boundary, test clients, expected headers/redirect behavior, rollout timing, monitoring, rollback, owner, and expiry.
Effective policy precedence
Highest precedence for included recipients. Microsoft-managed settings cannot be edited. Strict generally blocks click-through and protects internal messages; use for priority/high-risk cohorts with client and support readiness.
Applies after Strict and before evaluation/custom policies. It is the broad Microsoft-recommended baseline for many organizations. Exclusions and overlapping groups must be unambiguous.
Evaluation policies follow presets; custom Safe Links policies then apply by priority. Policy settings and recipient rules are separate objects in PowerShell and both must be preserved during change/cleanup.
Provides default Safe Links/Safe Attachments coverage for remaining recipients. It does not affect recipients already in Strict, Standard, evaluation, or custom Safe Links policies.
Propagation safeguard: Microsoft advises allowing up to six hours for a new or updated Safe Links policy to apply, while the Teams setting might take up to 24 hours. Test after the documented propagation window and record actual client behavior.
Workload behavior matrix
| Workload / path | Protection mechanics | Key design questions | Test evidence | Common misunderstanding |
|---|---|---|---|---|
| Email — rewritten URLs | URLs are rewritten during mail flow and evaluated at click; policy can scan links to downloadable files and wait for URL scanning before delivery. | Are external and internal messages covered? Is real-time scanning enabled? Is click-through blocked? Are link formats compatible with business apps? | Original and rewritten URL, headers, message trace, policy scope, safe/blocked click screenshots, client/platform and timestamp. | Seeing a rewritten URL proves the redirect path, not that every recipient/client/workload is protected or every destination will be blocked. |
| Email — API-only / no rewrite | Supported clients can use Safe Links API checks without persistent URL rewrite. | Which preset/custom mode applies, which Outlook versions are supported, and how will older/unsupported clients behave? | Client/version matrix, time-of-click result, headers/policy export, simulation behavior and fallback tests. | “Do not rewrite” is not the same as “do not scan”; Microsoft notes URLs on the exclusion list might still be blocked at click. |
| Microsoft Teams | Known malicious URLs are checked at click; URLs are not rewritten. Applies to protected users in chats, group chats, channels and tabs as documented. | Is Teams protection enabled for the sender/user cohort? Have desktop, web and mobile clients been tested after propagation? | Policy assignment, client/platform, benign and blocked destination tests, timestamps, warning behavior and incident telemetry. | Email rewrite tests do not validate Teams, and an unchanged URL does not mean Teams click protection is absent. |
| Supported Office apps | URLs in supported desktop, mobile and web apps are checked at click without rewriting. | Which apps, versions, identities and network paths are in scope? Are users signed in and licensed? How are files from internal/external sources tested? | App/version, user/license, document source, safe/blocked click, policy assignment and network/client logs. | Safe Links for Office apps does not replace Safe Attachments for documents or endpoint/browser protection. |
| Internal messages | Policy can apply Safe Links to email sent within the organization. | Are compromised internal accounts, lateral phishing and forwarded content in the threat model? Which legacy workflows break under rewriting? | Internal sender/recipient cohorts, rewritten/API behavior, help-desk cases, mail headers and change approval. | “Internal” does not mean trustworthy; excluding it leaves a lateral-phishing gap. |
| Phishing simulations / SecOps | Use Advanced Delivery for approved third-party simulations and designated SecOps mailboxes. | Are sending domains/IPs and simulation URLs correct, bounded and owned? Does MX/gateway architecture preserve expected identity? | Advanced Delivery export, vendor infrastructure, simulation test, alert behavior, expiry/review and negative test. | Adding simulation URLs to do-not-rewrite lists or broad bypass rules is not the recommended architecture and can create unwanted alerts/gaps. |
Twelve-step design and rollout runbook
Record phishing/URL threat goals, workloads, licensed users, high-risk cohorts, internal-message requirement, legacy link-dependent applications, privacy constraints, help-desk readiness, and business owners.
Capture preset profiles, evaluation policies, custom Safe Links policies and rules, Built-in exclusions, priority, settings, recipient conditions, do-not-rewrite entries, Advanced Delivery and relevant licensing.
Test representative executives, finance, frontline, admins, shared/service accounts, general users and exceptions. Resolve overlapping groups, nested membership limitations, exclusions and unlicensed recipients.
Use Standard/Strict presets where appropriate; create custom policies only for a real differentiated requirement. Define why each custom cohort cannot use the preset and assign an owner/retirement criterion.
Decide rewrite/API mode, internal messages, real-time scanning, file links, wait-for-scan delivery, click tracking and click-through. Treat business compatibility and security impact as separate acceptance gates.
Map supported clients, identities and documents/messages. Include desktop, web and mobile representatives and allow for documented propagation before concluding settings failed.
Inventory every do-not-rewrite entry and requested bypass. Validate syntax, exact destinations, owner, business need, alternate remediation, risk, expiration and the fact that click-time blocking can still occur.
Use Advanced Delivery for authorized non-Microsoft simulations and SecOps mailboxes. Validate domains, IPs, URLs, gateway/MX path, vendor change process and scope; avoid general bypass rules.
Define test URLs, clients, expected rewrite/warning behavior, screenshots, headers, alerts, user reporting, privacy handling, incident escalation, help-desk messages and rollback triggers.
Use a bounded group covering common and edge-case clients. Test safe, blocked, changed-after-delivery, internal, Teams, Office, file-link, exclusion and simulation scenarios without using live malicious infrastructure.
Wait for propagation, compare protection and compatibility metrics, remediate applications rather than accumulating exclusions, publish user guidance, expand cohorts and verify effective settings after each phase.
Seal before/after exports, tests, incidents, exceptions and rollback; reconcile all licensed users; remove orphaned policy/rule objects; set owner, review cadence and expiry for every exception.
Control decisions
Disallowing click-through prevents users from bypassing the warning to the original destination. Treat any request to enable click-through as a security exception with an owner, cohort, business case, monitoring and expiry.
Click telemetry supports investigation and campaign response but affects privacy, access and retention decisions. Document who may query data, acceptable use, escalation, legal/HR review where applicable, and evidence minimization.
Delivery-time URL scanning can improve pre-delivery evaluation but introduces performance/compatibility considerations. Measure delivery experience and confirm the setting actually applies to the recipient policy.
Real-time scanning of links to downloadable files helps protect click paths; it is not attachment detonation and does not replace Safe Attachments, endpoint protection or application control.
Protect internal email to reduce lateral phishing after account compromise. Test workflow systems, scanners, line-of-business apps and service mail; remediate malformed/authentication issues instead of excluding the tenant.
Do-not-rewrite entries create visibility and control complexity. Keep them exact, documented, reviewed and temporary. Test both mail-flow rewriting and time-of-click outcome because exclusion from rewriting is not guaranteed allow.
Top Safe Links risks and misconfigurations
Teams assume default coverage proves every licensed recipient, internal message, client and workload has the intended settings.
Strict/Standard/evaluation precedence or a higher-priority custom rule protects the recipient instead.
Rewritten email links pass tests while Teams, Office apps, internal messages, mobile clients or shared workflows remain unverified.
Users can bypass warning pages and reach destinations that policy identified as unsafe.
Operations expect excluded URLs never to be blocked, even though Microsoft notes time-of-click blocking can still occur.
Whole domains, wildcards or legacy links accumulate without owners, expiry, syntax validation or security review.
Broad transport/Safe Links exclusions replace purpose-built Advanced Delivery and weaken production protection.
Compromised accounts can deliver lateral phishing without the expected email click path protection.
Click telemetry is collected without access boundaries, privacy purpose, retention handling or incident workflow.
Teams repeatedly edit policies before Microsoft’s application windows elapse, obscuring the actual configuration and rollback point.
Evidence and cadence
Investigate blocked-click campaigns, user reports, incidents, false positives and business-critical URL failures.
Review exclusions, Advanced Delivery changes, help-desk cases, client gaps and recurring destinations.
Reconcile effective coverage, priority, settings, policy/rule pairs, licenses, tracking access and metrics.
Run full multichannel tests, review privacy/support design, retire custom policies and recertify every exclusion.
Authoritative resources and related guidance
Frequently asked questions
There is no ordinary default Safe Links policy. The Built-in protection preset provides Safe Links protection for remaining recipients by default unless excluded; Strict, Standard, evaluation and custom policies take precedence for covered recipients.
Microsoft documents time-of-click Safe Links checks in Teams and supported Office apps without URL rewriting. Email behavior depends on the effective policy and can use rewritten URLs or supported API-only checks.
No. Microsoft notes Safe Links does not scan or wrap listed URLs during mail flow, but might still block them at time of click. Treat exclusions as compatibility controls, not trust declarations.
For strong protection, disable click-through. Any exception should be a scoped, approved, monitored cohort with business justification, user guidance, owner, expiry and incident review.
Use Advanced Delivery with the authorized vendor domains/IPs and relevant simulation URLs rather than broad transport or Safe Links bypasses. Validate gateway/MX path, client behavior, alerts and negative tests.
Microsoft advises up to six hours for new/updated Safe Links policies and notes Teams protection might take up to 24 hours. Preserve one change at a time and test after the appropriate window.
Protect every click path with evidence
IT Perfection helps Orange County and Southern California organizations map effective Safe Links coverage, deploy Standard/Strict or justified custom policies, protect email, Teams and Office click paths, govern exclusions and simulations, test client behavior, improve incident evidence, and keep Microsoft 365 URL protection supportable.
Created by Ali Hassani, CISO — 25+ years of IT, cybersecurity, compliance, and infrastructure experience. This guide is for initial guidance only and does not replace a professional cybersecurity audit, compliance assessment, penetration test, incident investigation, legal/privacy review, licensing review, or tested email recovery plan.
We use necessary cookies and limited analytics and advertising-measurement cookies. Select Accept to allow optional cookies or Deny to continue with necessary cookies only. No name or email is required. You may close this website at any time.