Forum Discussion
Best practice advice
- Jul 06, 2021Precedence works in this order:
Strict protection preset security policy
Standard protection preset security policy
Custom security policies
Default security policies
Which means if a setting is set in a policy with a higher precedence, it can’t be overridden in a lower policy. You should be OK by using your approach.
Hello Skipster311-1, Thanks for your feedback and question:
pvanberlo is correct that precedence works in the following order from highest priority to lowest priority and it applies down to the security control level:
- Strict protection preset security policy
- Standard protection preset security policy
- Custom security policies
- Default security policies
That means, for example, if a security control/setting exists in Standard and admin has enabled it for a user, then it would be applied instead of what is configured for the setting in a custom policy or in the default policy if they are scoped to the same user. Note: you may have some portion of your org that you want to apply the standard/strict presets only and then for the others in your org you may apply a custom policy to meet specific use cases.
Today, we don't allow for customizations in the preset security policies (standard/strict) as the goal for presets is to require minimal admin effort to apply -- enable it and you've got all of the recommended security controls turned on. Any time we add any new controls, those will be automatically added in the preset security policies.
We will add this clarification to the MS doc page: Preset security policies - Office 365 | Microsoft Docs. Also, wanted to mention we are working on several improvements to make this configuration process easier. Thanks for the feedback!
- Skipster311-1Jul 07, 2021Iron ContributorThank you for the info. Please help me understand the following scenario.
#1Standard preset policy turned on for domainA.com (preset polices dont allow for modification)
#2Modify default anti-spam policy, create allow\block list. apply the policy to domainA.com
If a message is sent to a user in domainA.com and the sender is on the block list will the default policy apply ?