Updated: Exchange Online baseline / best practices scripts

Back to Blog
06Aug2019

Updated: Exchange Online baseline / best practices scripts

I recently updated the scripts that I use to provision new Exchange Online tenants and configure them according to best practices, and I just uploaded these edits to GitHub.

The main script is Baseline-ExchangeOnline.ps1–this is like a “master” script that contains almost all of the others (with a couple of exceptions like Office 365 ATP). You can also run scripts individually; so if you only wanted to disable forwarding, for example, you could just run that script separately without receiving additional prompts.

The most notable difference in this update is the fact that the scripts no longer require you open and edit variables before running them. Instead, the scripts have been redesigned to run interactively, with the exception of the ATP script.* Therefore, you will be prompted to configure each setting individually. There are some benefits to this arrangement:

  • You can choose to consent only to the changes that you want to make (for example, if you aren’t ready to disable basic authentication, you do not have to say “Y” to that prompt)
  • You can choose not to consent to any of the changes, and simply use it as an assessment tool (most settings will first display what is and what is not enabled before giving you the option to change it)
  • And of course, you don’t have to open and edit anything, just run the script from your working directory e.g. .\Baseline-ExchangeOnline.ps1

Here are the items that Baseline-ExchangeOnline.ps1 will prompt you about:

  • Enable unified audit log, audit log age, and auditing actions
  • Set the default retention for deleted items to the maximum value of 30 days
  • Prevent winmail.dat attachments from appearing on certain mail clients
  • Display the ‘Encrypt’ button in Outlook on the Web
  • Disable connecting to outside storage locations such as GoogleDrive or consumer OneDrive via Outlook on the Web
  • Disable auto-forwarding to remote domains, with option to export a list of impacted mailboxes
  • Reset the default anti-spam, anti-malware and outbound spam policy
    • Script will also prompt for an email address that will receive alerts regarding malware and outbound spam
  • Modify the default mobile device mailbox policy to include 4-digit PIN requirement with encryption (Optional if using MDM/MAM)
  • Option to enable auto-expanding archive mailboxes and litigation hold features (requires Exchange Online Plan 2 or Exchange Online archiving)
  • Disable POP and IMAP on all mailboxes
  • Enable modern authentication and optionally disable basic auth

Scripts included in this repository which are NOT rolled up into the Baseline-ExchangeOnline.ps1 script include:

  • Setup-DKIM.ps1: This script prompts for your domain name and then reads back the CNAME records that you need to input at your DNS hosting provider to configure DKIM for your custom domain at Office 365; then it provides a pause until you are ready to check the result (recommend taking a coffee break)
  • Block-UnmanagedAttachmentDownload.ps1: This script requires Azure AD Premium P1 or Microsoft 365 Business, and you must also configure a Conditional access policy separately (as of today); it will block attachment downloads from OWA on unmanaged devices.
  • Baseline-ATP-P1.ps1*: Configures Safe Links, Safe Attachments and Anti-phish policies; NOTE: this script is NOT interactive, and still requires you to edit the variables at the start of the script in order to run it successfully for your tenant

Here again is a link to the repository.

I hope you find these tools as useful as I do. I will be updating/adding some additional scripts for other Microsoft 365 services soon. Stay tuned.

*The exception here is Baseline-ATP-P1.ps1–I haven’t gotten around to making this one interactive yet since you need to list out targeted users that you want to protect. I just haven’t taken time to figure out the logic to prompt for adding users and looping it as many times as you want. Or maybe it could be done with a CSV import. Anyway, this one’s still on the backlog–until then, just open and edit the variables as before.

Technical , , , , , , 0 Comments
Share:

Leave a Reply

Back to Blog

Related Posts

27Oct

Step-by-Step: How to upgrade a Legacy Hybrid Exchange Server to 2016

One of the most common frustrations I hear from readers and clients alike is the requirement for keeping a hybrid Exchange server around, even well after all of your mailboxes have been moved to the cloud. Microsoft's official stance regarding hybrid is this: If you remove... read more
18Feb

How-to migrate Email from Small Business Server 2008/2011 or Exchange Server 2007/2010 to Office 365 with Zero Downtime

Update: Please refer to this newer article. Some of the details here are very dated--like there is no hybrid key anymore--and the activation only works on 2016, not 2019, plus we have minimal hybrid now, etc., etc. A "minimal hybrid" approach is preferred if you're... read more
17Sep

Enable the Archive Mailbox and modify the default retention policy (for cloud-only and hybrid users)

In any subscription that includes Exchange Online Archiving, such as Office 365 E3 or Microsoft 365 Business (as well as any subscription to which the Archiving add-on is applied), it is possible to enable an unlimited storage container for those hoarders out there, known as... read more
27Aug

How to configure Advanced Threat Protection (ATP) part 3: safe links

This will be our last post in this series on Advanced Threat Protection (ATP). We have previously covered anti-phishing policies and safe attachments. Now we will consider safe links. Safe links are basically just taking hyperlinks which exist in Exchange email messages or other content in... read more
01Sep

2016 Essentials Integration: Azure Backup

Customers of the late SBS line of products will be familiar with the Essentials Experience backup options for client PC's, and Windows Server Backup to external hard drive, but these days we have a new option with Microsoft Cloud Services integration: reliable offsite backups to the Azure cloud. From the... read more
30Jun

Migrating DHCP from SBS to Windows Server 2016

If you have a small network without much complexity (e.g. single subnet, a firewall, a few devices), you might consider having DHCP handled by the firewall rather than your new Windows Server--in that case, see Option 1 below. Otherwise, if would rather continue managing DHCP from Windows Server, then you... read more
04May

Password best practices

Some people say passwords are dead. I don't know if I 100% agree with that, since in actual fact and practice, we still rely on them heavily to secure access to our personal information online. The idea behind these "passwords are dead" sentiments is that... read more
16Nov

How to deal with Dynamic Distribution Groups in an Office 365 Hybrid Scenario

Dynamic Distribution Groups are not directly "migratable" to Office 365. (Yes, I just made that word up, but now it is a real word--that's how words are made). In a hybrid scenario, where you have Azure AD Connect synchronizing your Active Directory objects for single-sign... read more
18Apr

How to migrate company file shares and mapped drives to Office 365 using the SharePoint Migration Tool

I debated on writing about this tool for a long time. Because here's the thing: most file servers in production today are just huge garbage piles, built out of years of half-completed thoughts and haphazard document collaboration. Therefore, before we get into it, I first... read more
18Feb

YES!!! The Encrypt button is coming to Outlook on the Web!!!

I am so happy to see in my tenant the new Encrypt button (replaces the "Protect" button). I am not on the standard release in my tenant, so you might not see this right away if you're just following standard. Any tenant with AIP (e.g. E3,... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me