cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Best practice advice

Skipster311-1
Iron Contributor

‎Jul 06 2021 08:52 AM

‎Jul 06 2021 08:52 AM

Best practice advice

Hello all

 

I am fairly new to Defender for O365. I am the cloud admin for a small company roughly 1000 accounts. We are moving from mimecast to Defender for O365. I read the article regarding preset security polices, and thought this would be a good place to start, so i enabled the standard policy for all the domains we host. Considering you cannot edit a preset policy i had to edit the default policy to fill in the gaps to account for the things like safe senders, blocked senders, safe domains and blocked domains. Is this the correct strategy to use? From my understanding the preset security policy will take precedence. How does the precedence work? If i create safe senders in the default anti-spam policy will these settings take effect even though the safe senders are not mentioned in the Standard preset security policy ? 

 

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/preset-security-policies...

4,674 Views
1 Like
9 Replies
Reply
9 Replies
best response confirmed by Skipster311-1 (Iron Contributor)
pvanberlo

‎Jul 06 2021 08:56 AM

‎Jul 06 2021 08:56 AM

Solution

Re: Best practice advice

Precedence works in this order:

Strict protection preset security policy
Standard protection preset security policy
Custom security policies
Default security policies

Which means if a setting is set in a policy with a higher precedence, it can’t be overridden in a lower policy. You should be OK by using your approach.
0 Likes
Reply
Skipster311-1

‎Jul 06 2021 08:59 AM

‎Jul 06 2021 08:59 AM

Re: Best practice advice

Got it, that answers my question. So if a setting is configured in a lower precedence policy, and that same setting is not mentioned in a higher precedence policy, then the setting will apply. This makes sense.
0 Likes
Reply
pvanberlo

‎Jul 06 2021 09:43 AM

‎Jul 06 2021 09:43 AM

Re: Best practice advice

Actually.. I'm having second thoughts about this :) It's been a while since I last configured it. I'd recommend testing it to be sure, Microsoft's documentation does state the precedence, they however don't unambiguously state if this only applies on top level policies or goes down to the setting level.

If all else fails, you can of course decide to mimic most of the settings in the preset policies based on the info available at https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/recommended-settings-for....
0 Likes
Reply
Skipster311-1

‎Jul 06 2021 10:20 AM

‎Jul 06 2021 10:20 AM

Re: Best practice advice

Its strange that MS doesnt specifically call out how policy settings are applied that are in different polices. Example are they merged , if a lower level policy has configured setting that a high level policy setting does not, will the setting apply? They dont call this out and its a bit frustrating. From my understanding the preset polices cant be modified, so if i have to create safe or block lists i have to either use the default policy or create a new custom policy.
0 Likes
Reply
Sundeep_Saini

‎Jul 06 2021 01:02 PM

‎Jul 06 2021 01:02 PM

Re: Best practice advice

Hello @Skipster311-1, Thanks for your feedback and question:

@pvanberlo is correct that precedence works in the following order from highest priority to lowest priority and it applies down to the security control level:

  1. Strict protection preset security policy
  2. Standard protection preset security policy
  3. Custom security policies
  4. Default security policies

That means, for example, if a security control/setting exists in Standard and admin has enabled it for a user, then it would be applied instead of what is configured for the setting in a custom policy or in the default policy if they are scoped to the same user. Note: you may have some portion of your org that you want to apply the standard/strict presets only and then for the others in your org you may apply a custom policy to meet specific use cases.

 

Today, we don't allow for customizations in the preset security policies (standard/strict) as the goal for presets is to require minimal admin effort to apply -- enable it and you've got all of the recommended security controls turned on. Any time we add any new controls, those will be automatically added in the preset security policies.

 

We will add this clarification to the MS doc page: Preset security policies - Office 365 | Microsoft DocsAlso, wanted to mention we are working on several improvements to make this configuration process easier. Thanks for the feedback!

2 Likes
Reply
Skipster311-1

‎Jul 07 2021 08:44 AM

‎Jul 07 2021 08:44 AM

Re: Best practice advice

Thank you for the info. Please help me understand the following scenario.
#1Standard preset policy turned on for domainA.com (preset polices dont allow for modification)
#2Modify default anti-spam policy, create allow\block list. apply the policy to domainA.com
If a message is sent to a user in domainA.com and the sender is on the block list will the default policy apply ?
0 Likes
Reply
PJR_CDF

‎Dec 03 2021 03:39 AM

‎Dec 03 2021 03:39 AM

Re: Best practice advice

This recent addition to MS Documentation may help.

https://docs.microsoft.com/en-gb/microsoft-365/security/office-365-security/migrate-to-defender-for-...
0 Likes
Reply
Jleebiker

‎Jan 06 2022 08:41 AM

‎Jan 06 2022 08:41 AM

Re: Best practice advice

@Skipster311-1, it's been some time since you made these changes. Curious to ask how your experience is going? I am also evaluating the necessity of keeping our inbound filter and going native with EOP abilities. 

 

0 Likes
Reply
KentMitchell

‎Mar 15 2022 01:45 PM

‎Mar 15 2022 01:45 PM

Re: Best practice advice

In case folks are still coming across this topic, this documentation might help: Documentation article: Order and precedence of email protection.

 

More holistic within this topic’s theme, the Microsoft Defender for Office 365 (MDO) setup guide in the M365 Admin Center contains step by step guidance on deploying MDO.

 

The MDO setup guide simplifies deployment of MDO.

 

Note: If you don't have Microsoft 365 admin permissions, open the guide in a test or POC tenant to get instructions.

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Skipster311-1 (Iron Contributor)
pvanberlo

‎Jul 06 2021 08:56 AM

‎Jul 06 2021 08:56 AM

Solution

Re: Best practice advice

Precedence works in this order:

Strict protection preset security policy
Standard protection preset security policy
Custom security policies
Default security policies

Which means if a setting is set in a policy with a higher precedence, it can’t be overridden in a lower policy. You should be OK by using your approach.

View solution in original post

0 Likes
Reply