Updates to my Exchange Online and Office 365 ATP scripts
Just a quick note–this week I updated the Exchange Online and ATP scripts that I publish and use to provision new tenants–to fall more in line with the new best practices that were published by the Exchange Online Protection and Office 365 ATP teams.* You can also use the new PowerShell module called ORCA and then run Get-ORCAReport. This will spit out a nice HTML summary for you. So after running my scripts on a brand new tenant you will have mostly clear results:
If you apply the settings in these scripts then you will only have one other configuration task to be in complete alignment with their new standard protection baseline, and this setting is optional: to add TargetedUsersToProtect (this is where you name up to 60 email addresses and display names that should receive extra protection against impersonation).
In the break-out session I attended at Ignite, they had mentioned there is a new feature via mailbox intelligence that will protect all users in the tenant against impersonation by default, and that this change should ameliorate the old 60 “targeted users” limit. However, you can still use this feature if you want to, and name up to 60 external users for instance.
To edit the policy from protection.office.com, go to the AntiPhishing policy area under Threat Management > Policy. Click Default Policy and then edit the Impersonation settings. Set Add users to protect to On and click Add user. Enter only one name at a time.
Other simplifications
I simplified these scripts in a few key areas from what I had published previously. I now have three main scripts:
Baseline-ExchangeOnline.ps1 – This is now iterated to version 2.0; it still prompts you before making each setting change–meaning you would need to consent with Y or deny with N (or any other key); it does not contain any prompts for features that would only be in higher level subscriptions (e.g. should be compatible with every Office 365 Exchange Online plan); also be aware that this will reset the default policies for EOP rather than creating new policies with a corresponding rule (simplified option for new tenants)
Basline-365ATP.ps1 – Also iterated to version 2.0, and a slightly different name from before; this is just Office 365 ATP P1 features; the script does not require you to specify any variables now–the recipient domains to protect is figured out simply by grabbing all accepted domains (so be sure to verify your vanity domain names BEFORE applying the settings in this script to a new tenant); it also modifies the default antiphish policy rather than creating a new one with a rule (simplified option for new tenants)
Baseline-M365BTenant.ps1 – Most of my readers in the SMB community will be interested in this one since it basically just combines the other two into one single script (Microsoft 365 Business includes Office 365 ATP P1); note that you could have other subscriptions that include ATP P1 (like E5) and this script would still work–so ignore the name if you want to!
And there are still several standalone (and optional) scripts in the repository, to help with items like configuration of DKIM, disabling interactive shared mailbox sign-on, turning on the archive mailbox and legal hold capabilities, and more.
Cheers, and have a good weekend!
*The published table of settings in that article are actually slightly different than what is laid out in the ORCA module right now, but I’m keeping an eye on it, and will update the scripts as needed, until they release the new “easy buttons” in the Security & Compliance center.
Comments (3)
Alex, thank you for your continued updates and betterment, it’s massively appreciated by your community.
Hi Alex, really appreciate your content!
I was wondering if there is any particular reason why you’re not modifying the MailboxPlan in your scripts so that new mailboxes are created with parameters « Get-MailboxPlan | Set-MailboxPlan -RetainDeletedItemsFor 30 »?
Hey, good catch! Thanks!