Forum Discussion

TomWechsler's avatar
Jan 20, 2022

Why, for example, setting up a Safe Links policy does not work with a new Microsoft 365 tenant!

 

Dear Microsoft 365 Friends,

 

In this article I would like to share a few experiences with you.

 

It is about the following situation. A brand new Microsoft 365 tenant was set up for a customer. After the basic configuration, it was on to the security configurations. Among other things with the setup of a Safe Links policy. However, when setting up this policy, an error message appeared at the very end. No, it is not due to the licenses, this has already been checked.

 

 

However, the error message does not make sense. After a few searches on the "net", it turned out that the Microsoft 365 tenant was dehydrated. Hmm, what does that mean again and how is this checked? This is where the PowerShell comes into play.

 

I used the PowerShell ISE for this configuration. But you are also very welcome to use Visual Studio Code, just as you wish. Please start with the following steps to begin the deployment (the Hashtags are comments):

 

#The first two lines have nothing to do with the configuration, but make some space below in the blue part of the ISE

Set-Location C:\Temp
Clear-Host

 

#We need the exchange online module
Install-Module -Name ExchangeOnlineManagement -Verbose -AllowClobber -Force

 

#Lets connect
Connect-ExchangeOnline

 

#Did it work?
Get-Mailbox

 

#We can check the dehydrate status using the below command:
Get-OrganizationConfig | Format-List Identity,IsDehydrated

 

#If the Microsoft 365 tenant is dehydrated. We can hydrate the tenant using the below command:
Enable-OrganizationCustomization

 

#We can check the dehydrate status using the below command:
Get-OrganizationConfig | Format-List Identity,IsDehydrated

 

OK, the tenant is now no longer dehydrated, but what exactly did we do especially with CMDLET "Enable-OrganizationCustomization"? The answer is given in the following Microsoft Doc article:

https://docs.microsoft.com/en-us/powershell/module/exchange/enable-organizationcustomization?view=exchange-ps

 

Among other things, it is described that the following functions are created/enabled (a small excerpt from the article):

 

- Creating a new role group or creating a new management role assignment.
- Creating a new role assignment policy or modifying a built-in role assignment policy.
- Creating a new Outlook on the web mailbox policy or modifying a built-in Outlook on the web mailbox policy.
- Creating a new sharing policy or modifying a built-in sharing policy.
- Creating a new retention policy or modifying a built-in retention policy.
- Enabling preset security policies in the Microsoft 365 Security Center.

 

Especially in our case, the last line is interesting! Now let's see if we can create a Safe Links policy.

 

I already realize that this wasn't super exciting, but I still wanted to share this experience with you. I hope this article was useful. Thank you for taking the time to read the article.


Best regards, Tom Wechsler

 

P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechsler

No RepliesBe the first to reply

Resources