Forum Discussion
Solved
Defender for Office Policy Assignment by Domain
Hello - Sorry, this is a little bit long... We've been testing MDO and have run into an issue that seems like a 'bug' but, I've been unable to find any other reports of it online. I have a t...
- I just wanted to come back and post what I learned from my Microsoft case on this issue. Apparently, if you use multiple conditions for policy assignments - ie user, group and/or domain - those are AND conditions so the recipient must match all of the assignment types.
For example, if I add email address removed for privacy reasons and then the group email address removed for privacy reasons - where email address removed for privacy reasons includes 'user2' and 'user3'. An email sent to user1 will NOT be scanned by the policy because user1 is not also part of the group.
This is documented here (this is the malware doc but, you can find the same blurb in the others):
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide#recipient-filters-in-anti-malware-policies
I can't fully wrap my head around why the logic was setup that way but, at least I have an answer to my issue. Hopefully this will help someone in the future that may run into the same issue.
Thanks to Joe Stocker / MatejKlemencic for taking the time to respond.
Just curious if you verified whether the test account has a Microsoft Defender for Office license assigned to it? Sometimes people think the functionality works as long as there is just one paid license in a tenant whereas sometimes the license must be assigned to all users where the protection is applied.
Joe, thanks for that.
The accounts I'm testing with are all shared mailbox accounts (so, either unlicensed or, in one case, an EOP1).
I hadn't considered the licensing status as a potential issue because when I assign the accounts specifically - either as an individual or as part of a group - the policies seem to apply correctly. It's only when I don't assign them individually, relying on the domain assignment, that the problem occurs.
I'll test with a licensed account and see if that makes any difference.
Robin
The accounts I'm testing with are all shared mailbox accounts (so, either unlicensed or, in one case, an EOP1).
I hadn't considered the licensing status as a potential issue because when I assign the accounts specifically - either as an individual or as part of a group - the policies seem to apply correctly. It's only when I don't assign them individually, relying on the domain assignment, that the problem occurs.
I'll test with a licensed account and see if that makes any difference.
Robin
- Joe Stocker
Just an FYI, using a licensed account (E5) instead of the shared mailbox didn't change the outcome. Messages are still skipping the assigned policy, when assigned by domain.