SOLVED

Best practice advice

Iron Contributor

Hello all

 

I am fairly new to Defender for O365. I am the cloud admin for a small company roughly 1000 accounts. We are moving from mimecast to Defender for O365. I read the article regarding preset security polices, and thought this would be a good place to start, so i enabled the standard policy for all the domains we host. Considering you cannot edit a preset policy i had to edit the default policy to fill in the gaps to account for the things like safe senders, blocked senders, safe domains and blocked domains. Is this the correct strategy to use? From my understanding the preset security policy will take precedence. How does the precedence work? If i create safe senders in the default anti-spam policy will these settings take effect even though the safe senders are not mentioned in the Standard preset security policy ? 

 

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/preset-security-policies...

9 Replies
best response confirmed by Skipster311-1 (Iron Contributor)
Solution
Precedence works in this order:

Strict protection preset security policy
Standard protection preset security policy
Custom security policies
Default security policies

Which means if a setting is set in a policy with a higher precedence, it can’t be overridden in a lower policy. You should be OK by using your approach.
Got it, that answers my question. So if a setting is configured in a lower precedence policy, and that same setting is not mentioned in a higher precedence policy, then the setting will apply. This makes sense.
Actually.. I'm having second thoughts about this 🙂 It's been a while since I last configured it. I'd recommend testing it to be sure, Microsoft's documentation does state the precedence, they however don't unambiguously state if this only applies on top level policies or goes down to the setting level.

If all else fails, you can of course decide to mimic most of the settings in the preset policies based on the info available at https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/recommended-settings-for....
Its strange that MS doesnt specifically call out how policy settings are applied that are in different polices. Example are they merged , if a lower level policy has configured setting that a high level policy setting does not, will the setting apply? They dont call this out and its a bit frustrating. From my understanding the preset polices cant be modified, so if i have to create safe or block lists i have to either use the default policy or create a new custom policy.

Hello @Skipster311-1, Thanks for your feedback and question:

@pvanberlo is correct that precedence works in the following order from highest priority to lowest priority and it applies down to the security control level:

  1. Strict protection preset security policy
  2. Standard protection preset security policy
  3. Custom security policies
  4. Default security policies

That means, for example, if a security control/setting exists in Standard and admin has enabled it for a user, then it would be applied instead of what is configured for the setting in a custom policy or in the default policy if they are scoped to the same user. Note: you may have some portion of your org that you want to apply the standard/strict presets only and then for the others in your org you may apply a custom policy to meet specific use cases.

 

Today, we don't allow for customizations in the preset security policies (standard/strict) as the goal for presets is to require minimal admin effort to apply -- enable it and you've got all of the recommended security controls turned on. Any time we add any new controls, those will be automatically added in the preset security policies.

 

We will add this clarification to the MS doc page: Preset security policies - Office 365 | Microsoft DocsAlso, wanted to mention we are working on several improvements to make this configuration process easier. Thanks for the feedback!

Thank you for the info. Please help me understand the following scenario.
#1Standard preset policy turned on for domainA.com (preset polices dont allow for modification)
#2Modify default anti-spam policy, create allow\block list. apply the policy to domainA.com
If a message is sent to a user in domainA.com and the sender is on the block list will the default policy apply ?

@Skipster311-1, it's been some time since you made these changes. Curious to ask how your experience is going? I am also evaluating the necessity of keeping our inbound filter and going native with EOP abilities. 

 

In case folks are still coming across this topic, this documentation might help: Documentation article: Order and precedence of email protection.

 

More holistic within this topic’s theme, the Microsoft Defender for Office 365 (MDO) setup guide in the M365 Admin Center contains step by step guidance on deploying MDO.

 

The MDO setup guide simplifies deployment of MDO.

 

Note: If you don't have Microsoft 365 admin permissions, open the guide in a test or POC tenant to get instructions.

1 best response

Accepted Solutions
best response confirmed by Skipster311-1 (Iron Contributor)
Solution
Precedence works in this order:

Strict protection preset security policy
Standard protection preset security policy
Custom security policies
Default security policies

Which means if a setting is set in a policy with a higher precedence, it can’t be overridden in a lower policy. You should be OK by using your approach.

View solution in original post