Forum Discussion
Solved
Defender for Office Policy Assignment by Domain
Hello - Sorry, this is a little bit long... We've been testing MDO and have run into an issue that seems like a 'bug' but, I've been unable to find any other reports of it online. I have a t...
- I just wanted to come back and post what I learned from my Microsoft case on this issue. Apparently, if you use multiple conditions for policy assignments - ie user, group and/or domain - those are AND conditions so the recipient must match all of the assignment types.
For example, if I add email address removed for privacy reasons and then the group email address removed for privacy reasons - where email address removed for privacy reasons includes 'user2' and 'user3'. An email sent to user1 will NOT be scanned by the policy because user1 is not also part of the group.
This is documented here (this is the malware doc but, you can find the same blurb in the others):
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide#recipient-filters-in-anti-malware-policies
I can't fully wrap my head around why the logic was setup that way but, at least I have an answer to my issue. Hopefully this will help someone in the future that may run into the same issue.
Thanks to Joe Stocker / MatejKlemencic for taking the time to respond.
Hi MatejKlemencic
Thanks for replying. No, our Exchange is fully cloud based (no hybrid). For the accounts/domains in question, yes, the MX records are pointing directly to Exchange Online. I've not tried adding the onmicrosoft.com domain but will do that. If that were to work, what would that tell me about the associated primary domain?
Thanks,
Robin
Thanks for replying. No, our Exchange is fully cloud based (no hybrid). For the accounts/domains in question, yes, the MX records are pointing directly to Exchange Online. I've not tried adding the onmicrosoft.com domain but will do that. If that were to work, what would that tell me about the associated primary domain?
Thanks,
Robin
Hi robinhailey
Give it a try despite the odds. I've encountered unusual email routing between onmicrosoft.com and customer owned domains. Consider creating a policy through PowerShell as well; it has proven helpful in the past > https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-policies-configure?view=o365-worldwide#use-powershell-to-create-anti-malware-policies
Keep in mind that Anti-Malware is part of EOP not MDO > https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/eop-about?view=o365-worldwide#how-eop-works
- Hi MatejKlemencic -
Thanks - I haven't had a chance, yet, to try the onmicrosoft suggestion yet.
I was thinking I should try recreating the policies (again) - maybe this time I'll do it via Powershell.
Just as an FYI, it's not just the anti-malware that this is happening on. I've confirmed it's doing the same thing with the anti-phishing policy as well. I haven't tested the others, was just assuming they weren't going to behave in the same manner.- Joe Stocker / MatejKlemencic
Some additional info I've discovered today after some further testing.
I recreated a couple of the policies from scratch (again) just in case something was a little goofy with them.
Immediately upon doing that, I added only domains to the assignment. I then sent some test messages to users in those domains - low and behold, the tests were received/rejected as I was expecting.
So, I added a specific user to the assignment (user was not part of any of the domains) and re-tested. The test messages were then received/rejected incorrectly - as they'd been previously. I removed the user, again leaving just the domains, and retested. The test messages were again received/rejected correctly.
I tried the same test but with a group assigned (in place of the user) and the domains. Same thing: with the group assigned, the receptions/rejections were incorrect. Remove the group and all is well.
So, it seems the problem I'm having isn't the domain assignment, specifically, but, when the assignments are mixed between domain and user/group. Do either of you have mixed assignments on your policies?
Thanks,
Robin- I just wanted to come back and post what I learned from my Microsoft case on this issue. Apparently, if you use multiple conditions for policy assignments - ie user, group and/or domain - those are AND conditions so the recipient must match all of the assignment types.
For example, if I add email address removed for privacy reasons and then the group email address removed for privacy reasons - where email address removed for privacy reasons includes 'user2' and 'user3'. An email sent to user1 will NOT be scanned by the policy because user1 is not also part of the group.
This is documented here (this is the malware doc but, you can find the same blurb in the others):
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide#recipient-filters-in-anti-malware-policies
I can't fully wrap my head around why the logic was setup that way but, at least I have an answer to my issue. Hopefully this will help someone in the future that may run into the same issue.
Thanks to Joe Stocker / MatejKlemencic for taking the time to respond.