Forum Discussion
Solved
Defender for Office Policy Assignment by Domain
Hello - Sorry, this is a little bit long... We've been testing MDO and have run into an issue that seems like a 'bug' but, I've been unable to find any other reports of it online. I have a t...
- I just wanted to come back and post what I learned from my Microsoft case on this issue. Apparently, if you use multiple conditions for policy assignments - ie user, group and/or domain - those are AND conditions so the recipient must match all of the assignment types.
For example, if I add email address removed for privacy reasons and then the group email address removed for privacy reasons - where email address removed for privacy reasons includes 'user2' and 'user3'. An email sent to user1 will NOT be scanned by the policy because user1 is not also part of the group.
This is documented here (this is the malware doc but, you can find the same blurb in the others):
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide#recipient-filters-in-anti-malware-policies
I can't fully wrap my head around why the logic was setup that way but, at least I have an answer to my issue. Hopefully this will help someone in the future that may run into the same issue.
Thanks to Joe Stocker / MatejKlemencic for taking the time to respond.
Joe Stocker / MatejKlemencic
Some additional info I've discovered today after some further testing.
I recreated a couple of the policies from scratch (again) just in case something was a little goofy with them.
Immediately upon doing that, I added only domains to the assignment. I then sent some test messages to users in those domains - low and behold, the tests were received/rejected as I was expecting.
So, I added a specific user to the assignment (user was not part of any of the domains) and re-tested. The test messages were then received/rejected incorrectly - as they'd been previously. I removed the user, again leaving just the domains, and retested. The test messages were again received/rejected correctly.
I tried the same test but with a group assigned (in place of the user) and the domains. Same thing: with the group assigned, the receptions/rejections were incorrect. Remove the group and all is well.
So, it seems the problem I'm having isn't the domain assignment, specifically, but, when the assignments are mixed between domain and user/group. Do either of you have mixed assignments on your policies?
Thanks,
Robin
Some additional info I've discovered today after some further testing.
I recreated a couple of the policies from scratch (again) just in case something was a little goofy with them.
Immediately upon doing that, I added only domains to the assignment. I then sent some test messages to users in those domains - low and behold, the tests were received/rejected as I was expecting.
So, I added a specific user to the assignment (user was not part of any of the domains) and re-tested. The test messages were then received/rejected incorrectly - as they'd been previously. I removed the user, again leaving just the domains, and retested. The test messages were again received/rejected correctly.
I tried the same test but with a group assigned (in place of the user) and the domains. Same thing: with the group assigned, the receptions/rejections were incorrect. Remove the group and all is well.
So, it seems the problem I'm having isn't the domain assignment, specifically, but, when the assignments are mixed between domain and user/group. Do either of you have mixed assignments on your policies?
Thanks,
Robin
I just wanted to come back and post what I learned from my Microsoft case on this issue. Apparently, if you use multiple conditions for policy assignments - ie user, group and/or domain - those are AND conditions so the recipient must match all of the assignment types.
For example, if I add email address removed for privacy reasons and then the group email address removed for privacy reasons - where email address removed for privacy reasons includes 'user2' and 'user3'. An email sent to user1 will NOT be scanned by the policy because user1 is not also part of the group.
This is documented here (this is the malware doc but, you can find the same blurb in the others):
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide#recipient-filters-in-anti-malware-policies
I can't fully wrap my head around why the logic was setup that way but, at least I have an answer to my issue. Hopefully this will help someone in the future that may run into the same issue.
Thanks to Joe Stocker / MatejKlemencic for taking the time to respond.
For example, if I add email address removed for privacy reasons and then the group email address removed for privacy reasons - where email address removed for privacy reasons includes 'user2' and 'user3'. An email sent to user1 will NOT be scanned by the policy because user1 is not also part of the group.
This is documented here (this is the malware doc but, you can find the same blurb in the others):
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide#recipient-filters-in-anti-malware-policies
I can't fully wrap my head around why the logic was setup that way but, at least I have an answer to my issue. Hopefully this will help someone in the future that may run into the same issue.
Thanks to Joe Stocker / MatejKlemencic for taking the time to respond.
- Thank-you for completing this thread. It has been an instructive case.
