Forum Discussion

Iron Contributor

Jul 06, 2021

Solved

Best practice advice

Hello all I am fairly new to Defender for O365. I am the cloud admin for a small company roughly 1000 accounts. We are moving from mimecast to Defender for O365. I read the article regarding pres...

microsoft 365 defender

phishing

pvanberlo
Jul 06, 2021
Precedence works in this order:

Strict protection preset security policy
Standard protection preset security policy
Custom security policies
Default security policies

Which means if a setting is set in a policy with a higher precedence, it can’t be overridden in a lower policy. You should be OK by using your approach.

Skipster311-1

Iron Contributor

Jul 06, 2021

Got it, that answers my question. So if a setting is configured in a lower precedence policy, and that same setting is not mentioned in a higher precedence policy, then the setting will apply. This makes sense.

pvanberlo

MCT

Jul 06, 2021

Actually.. I'm having second thoughts about this 🙂 It's been a while since I last configured it. I'd recommend testing it to be sure, Microsoft's documentation does state the precedence, they however don't unambiguously state if this only applies on top level policies or goes down to the setting level.

If all else fails, you can of course decide to mimic most of the settings in the preset policies based on the info available at https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365?view=o365-worldwide.

Skipster311-1
Iron Contributor
Jul 06, 2021
Its strange that MS doesnt specifically call out how policy settings are applied that are in different polices. Example are they merged , if a lower level policy has configured setting that a high level policy setting does not, will the setting apply? They dont call this out and its a bit frustrating. From my understanding the preset polices cant be modified, so if i have to create safe or block lists i have to either use the default policy or create a new custom policy.