How to quickly provision Microsoft 365 Business subscriptions for Exchange Online and ATP using PowerShell

Hey folks, Microsoft 365 Business is a really cool subscription for small businesses, and if you are doing these configurations for a lot of tenants, then you’re probably going to want to automate some of the setup.  Today I’m going to share a script I use to quickly configure my “baseline” defaults for this subscription including:

• Exchange Online settings:
  • Modern authentication for MFA support
  • Mailbox auditing & log search capability
  • Mobile device mailbox policy
  • Antispam & Antimalware policies
• Exchange Online Archiving:
  • Enabling the archive mailbox for all users (default 2 year move to archive policy will apply)
• Azure Information Protection:
  • Enable Office Message Encryption (OME) transport rule for encrypted email messages
• Advanced Threat Protection:
  • Enabling ATP, Safe Links, Safe Attachments and Anti-Phishing policies

So really, this will work for any tenants that contain those subscriptions above (Microsoft 365 Business happens to include them all). And  of course, this assumes that you have already setup your subscription and licensed your users (they should already have mailboxes in the cloud). Before you get started, it is necessary to Connect to Exchange Online using PowerShell:

$cred = Get-Credential
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $cred -Authentication Basic -AllowRedirection
Import-PSSession $session

Pay attention to the comments and review the options in each cmdlet so you understand their purpose, and decide how you might want to manipulate these settings for your own environment. You can review some of the options for setting up policies using the cmdlets here:

• Setup a mobile device mailbox policy
• Set your inbound and outbound spam defaults
• Malware filter policy
• ATP Policies:
  • Safe Links
  • Safe Attachments
  • Anti-phishing policy

Remember, what is depicted here is by way of example only–a very bare minimum baseline. I encourage you to build off this, and make it your own.

You will start by defining some variables.

#THIS SCRIPT WILL CONFIGURE EXCHANGE ONLINE FOR MICROSOFT 365 BUSINESS SUBSCRIPTIONS WITH BASELINE POLICIES:
#BASELINE POLICIES ARE PROVIDED HERE BY WAY OF EXAMPLE ONLY;
#IT IS RECOMMENDED TO REVIEW THE POLICY SETTINGS AND ADJUST AS NEEDED FOR YOUR ORGANIZATION'S REQUIREMENTS

#!!!!!!!!!!CAREFUL!!!!!!!!!!
#BEFORE YOU START, DEFINE THE SUPPORT CONTACT AND DOMAIN NAME:
$ITSupportEmail= "[email protected]"
$DomainName = "companyname.com"

#Enable Organization Customization:
Enable-OrganizationCustomization

#ENABLE AUDITING (Update: this is now on by default):
#Enable audit log search:
#Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
#Enable mailbox auditing:
#Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true
#Enable audit of Owner actions:
#Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditOwner @{Add="MailboxLogin","HardDelete","SoftDelete","MoveToDeletedItems"}

#ENABLE MODERN AUTHENTICATION FOR MFA TO EXCHANGE ONLINE: 
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

#CONFIGURE DEFAULT MOBILE DEVICE AND SPAM POLICIES:
#Modify the default mobile device mailbox policy:
Set-MobileDeviceMailboxPolicy -Identity Default -PasswordEnabled $true -AllowSimplePassword $false -PasswordRecoveryEnabled $true  -MinPasswordLength 4 -MaxPasswordFailedAttempts 10 -AllowExternalDeviceManagement $true -AllowNonProvisionableDevices $false  -RequireDeviceEncryption $true -MaxInactivityTimeLock 00:05:00 -IsDefault $true
#Modify the default content filter policy:
Set-HostedContentFilterPolicy -Identity Default -SpamAction Quarantine -PhishSpamAction Quarantine -BulkSpamAction Quarantine -BulkThreshold 7 -HighConfidenceSpamAction Quarantine -IncreaseScoreWithNumericIps On -IncreaseScoreWithRedirectToOtherPort On -MarkAsSpamJavaScriptInHtml On -MarkAsSpamSpfRecordHardFail On -MarkAsSpamFromAddressAuthFail On -QuarantineRetentionPeriod 15
#Modify the default outbound spam filter policy:
Set-HostedOutboundSpamFilterPolicy Default -NotifyOutboundSpam $true -NotifyOutboundSpamRecipients $ITSupportEmail
#Modify the default malware filter policy:
Set-MalwareFilterPolicy -Identity Default -Action DeleteMessage -EnableFileFilter $true -EnableInternalSenderAdminNotifications $true -InternalSenderAdminAddress $ITSupportEmail

#ENABLE ARCHIVE MAILBOXES FOR ALL USERS:
Get-Mailbox -Filter {ArchiveStatus -Eq "None" -AND RecipientTypeDetails -eq "UserMailbox"} | Enable-Mailbox -Archive

#ENABLE EMAIL ENCRYPTION TAG:
#Create mail flow rule to encrypt messages using a subject line tag:
New-TransportRule -Name "Allow users to encrypt messages" -SubjectContainsWords "encrypt","encrypted","SecureMail" -Priority 0 -ApplyRightsProtectionTemplate Encrypt
#Allow users to download and decrypt attachments from encrypted emails:
Set-IRMConfiguration -DecryptAttachmentFromPortal $true 

#CONFIGURE ATP DEFAULT POLICIES
#Create the AllMailUsers Group, used to scope policies to all users
New-DynamicDistributionGroup -IncludedRecipients MailboxUsers -Name “AllMailUsers" -DisplayName "All Mail Users" -PrimarySMTPAddress AllMailUsers@$DomainName
#Configure ATP for Office 365 apps (Off by Default):
Set-AtpPolicyForO365 -EnableSafeLinksForClients $true -EnableATPForSPOTeamsODB $true
#Configure default Safe Links policy and rule:
New-SafeLinksPolicy -Name "Safe Links Policy" -IsEnabled $true 
New-SafeLinksRule -Name "Safe Links Rule" -SafeLinksPolicy "Safe Links Policy" -SentToMemberOf "AllMailUsers" 
#Configure default Safe Attachments policy and rule:
New-SafeAttachmentPolicy -Name "Safe Attachment Policy" -Enable $true -Redirect $true -RedirectAddress $ITSupportEmail
New-SafeAttachmentRule -Name "Safe Attachment Rule" -SafeAttachmentPolicy "Safe Attachment Policy" -SentToMemberOf "AllMailUsers"
#Configure the default Anti-phish policy and rule:
New-AntiPhishPolicy -Name "AntiPhish Policy" -Enabled $true -EnableOrganizationDomainsProtection $true -EnableAuthenticationSafetyTip $true -EnableAuthenticationSoftPassSafetyTip $false -EnableSimilarUsersSafetyTips $true -EnableSimilarDomainsSafetyTips $true -EnableUnusualCharactersSafetyTips $true -AuthenticationFailAction Quarantine
New-AntiPhishRule -Name "AntiPhish Rule" -AntiPhishPolicy "AntiPhish Policy" -SentToMemberOf "AllMailUsers"

Remove-PSSession $session

That’s it–hope you find it  a useful starting point at least, in your own scripting adventures.