Defender for Office 365 filtering-only scenario protection for your on-premises Exchange Server

Question

Do you anyone help me by guiding me to some documents as to how you deploy/configure Defender for Office 365 filtering-only scenario for your on-premises Exchange Server?

exmsw4319 · Answer

leohming&nbsp;&nbsp;In MDO delivery will appear as on-premises/external, effectively beyond the reach of Microsoft. So as Don says, no Zero-hour Automated Purge or manual remediations from the security portal. I think those restrictions apply equally to on-premises Exchange and third-party on-premises gear. You definitely want to decide what else will be allowed to talk directly to your on-premises equipment, and whether the on-premises system will be sending directly or back out through MDO. In the latter scenario, I think Exchange Online product limits will apply. However, if you allow on-premises to send directly then you lose the MDO anti-virus tripwire for an internal infection and you lose any outbound compliance / auditing controls you might otherwise gain from the Microsoft cloud.&nbsp;If you have Outlook clients served by the on-premises system then the Report Message add-in will still work, but that will only help vs later attacks because you have no ZAP.&nbsp;Hybrid is a fairly big topic and I have probably left a few things out.

exmsw4319 · Answer

I do not know for certain, but the attacks are dropped directly into the target mailboxes and do not appear on any message trace. That probably means that the attacks could not be forwarded out to an external mailbox. A quick Google suggests that it does not even work for on-premises Exchange recipients, though I cannot see an authoritative MS resource at first sight.

joe stocker · Answer

There is really very little difference. Here are some tips: Don't enable Dynamic Delivery for the Safe Attachment Policy, since this requires the mailbox to be in the cloud. Instead use the "Block" policy. And understand the ZAP feature will not work. Lastly, understand that if the Accepted Domain is set to Internal, then the Directory-based-edge filtering feature will not work (you need to set it to Authoritative for that feature to work). However, before setting it to Authoratative, you should first make sure that all your mail enabled objects on-premises are represented as mailuser object types in the cloud otherwise inbound mail flow won't reach the on-premises object if it is not found in the directory. In the past this used to be a problem for mail-enabled public folders, but there is now a checkbox to enable that in Azure AD Connect.

leohming · Answer

Hi Joe， how about the Defender for Office 365 filtering-only scenario for any other on-premises SMTP email solution? What function of MDO will not work in this scenario?

exmsw4319 · Answer

For some technologies, you can add headers using Exchange Online mail flow rules to be read by the on-premises system. The same concept can work in reverse if you have a third-party gateway technology adding headers to be read by an on-premises Exchange transport rule. Disclaimer: I rarely use the latest version of Exchange.

Forum Discussion

Defender for Office 365 filtering-only scenario protection for your on-premises Exchange Server

7 Replies

Resources