Forum Discussion
Solved
Defender for Office Policy Assignment by Domain
Hello - Sorry, this is a little bit long... We've been testing MDO and have run into an issue that seems like a 'bug' but, I've been unable to find any other reports of it online. I have a t...
- I just wanted to come back and post what I learned from my Microsoft case on this issue. Apparently, if you use multiple conditions for policy assignments - ie user, group and/or domain - those are AND conditions so the recipient must match all of the assignment types.
For example, if I add email address removed for privacy reasons and then the group email address removed for privacy reasons - where email address removed for privacy reasons includes 'user2' and 'user3'. An email sent to user1 will NOT be scanned by the policy because user1 is not also part of the group.
This is documented here (this is the malware doc but, you can find the same blurb in the others):
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide#recipient-filters-in-anti-malware-policies
I can't fully wrap my head around why the logic was setup that way but, at least I have an answer to my issue. Hopefully this will help someone in the future that may run into the same issue.
Thanks to Joe Stocker / MatejKlemencic for taking the time to respond.
Hi MatejKlemencic
Thanks for replying. No, our Exchange is fully cloud based (no hybrid). For the accounts/domains in question, yes, the MX records are pointing directly to Exchange Online. I've not tried adding the onmicrosoft.com domain but will do that. If that were to work, what would that tell me about the associated primary domain?
Thanks,
Robin
Thanks for replying. No, our Exchange is fully cloud based (no hybrid). For the accounts/domains in question, yes, the MX records are pointing directly to Exchange Online. I've not tried adding the onmicrosoft.com domain but will do that. If that were to work, what would that tell me about the associated primary domain?
Thanks,
Robin
Hi robinhailey
Give it a try despite the odds. I've encountered unusual email routing between onmicrosoft.com and customer owned domains. Consider creating a policy through PowerShell as well; it has proven helpful in the past > https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-policies-configure?view=o365-worldwide#use-powershell-to-create-anti-malware-policies
Keep in mind that Anti-Malware is part of EOP not MDO > https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/eop-about?view=o365-worldwide#how-eop-works