Updated: Exchange Online baseline / best practices scriptsAlex Fields
I recently updated the scripts that I use to provision new Exchange Online tenants and configure them according to best practices, and I just uploaded these edits to GitHub.
The main script is Baseline-ExchangeOnline.ps1–this is like a “master” script that contains almost all of the others (with a couple of exceptions like Office 365 ATP). You can also run scripts individually; so if you only wanted to disable forwarding, for example, you could just run that script separately without receiving additional prompts.
The most notable difference in this update is the fact that the scripts no longer require you open and edit variables before running them. Instead, the scripts have been redesigned to run interactively, with the exception of the ATP script.* Therefore, you will be prompted to configure each setting individually. There are some benefits to this arrangement:
- You can choose to consent only to the changes that you want to make (for example, if you aren’t ready to disable basic authentication, you do not have to say “Y” to that prompt)
- You can choose not to consent to any of the changes, and simply use it as an assessment tool (most settings will first display what is and what is not enabled before giving you the option to change it)
- And of course, you don’t have to open and edit anything, just run the script from your working directory e.g. .\Baseline-ExchangeOnline.ps1
Here are the items that Baseline-ExchangeOnline.ps1 will prompt you about:
- Enable unified audit log, audit log age, and auditing actions
- Set the default retention for deleted items to the maximum value of 30 days
- Prevent winmail.dat attachments from appearing on certain mail clients
- Display the ‘Encrypt’ button in Outlook on the Web
- Disable connecting to outside storage locations such as GoogleDrive or consumer OneDrive via Outlook on the Web
- Disable auto-forwarding to remote domains, with option to export a list of impacted mailboxes
- Reset the default anti-spam, anti-malware and outbound spam policy
- Script will also prompt for an email address that will receive alerts regarding malware and outbound spam
- Modify the default mobile device mailbox policy to include 4-digit PIN requirement with encryption (Optional if using MDM/MAM)
- Option to enable auto-expanding archive mailboxes and litigation hold features (requires Exchange Online Plan 2 or Exchange Online archiving)
- Disable POP and IMAP on all mailboxes
- Enable modern authentication and optionally disable basic auth
Scripts included in this repository which are NOT rolled up into the Baseline-ExchangeOnline.ps1 script include:
- Setup-DKIM.ps1: This script prompts for your domain name and then reads back the CNAME records that you need to input at your DNS hosting provider to configure DKIM for your custom domain at Office 365; then it provides a pause until you are ready to check the result (recommend taking a coffee break)
- Block-UnmanagedAttachmentDownload.ps1: This script requires Azure AD Premium P1 or Microsoft 365 Business, and you must also configure a Conditional access policy separately (as of today); it will block attachment downloads from OWA on unmanaged devices.
- Baseline-ATP-P1.ps1*: Configures Safe Links, Safe Attachments and Anti-phish policies; NOTE: this script is NOT interactive, and still requires you to edit the variables at the start of the script in order to run it successfully for your tenant
I hope you find these tools as useful as I do. I will be updating/adding some additional scripts for other Microsoft 365 services soon. Stay tuned.
*The exception here is Baseline-ATP-P1.ps1–I haven’t gotten around to making this one interactive yet since you need to list out targeted users that you want to protect. I just haven’t taken time to figure out the logic to prompt for adding users and looping it as many times as you want. Or maybe it could be done with a CSV import. Anyway, this one’s still on the backlog–until then, just open and edit the variables as before.