Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Configuration Analyzer, Standard or Strict?

Copper Contributor

We are currently having issues with important mails getting sent to quarantine. Often from outside users who we have a lot of correspondence. And then it grabs a some essential meeting, and we miss it.

 

I set strict in configuration analyzer a long time ago (years), but it's starting to be an issue. I was thinking of making a standard baseline so it gets updated etc.

If I make this, presumably instead of quarantine these problem mails will get sent to the Junk folder instead, unless they are a real issue (virus etc).

 

But I'm not sure what most run on, is it advisable to have strict.

Or is it normal to run on standard for most companies?, don't really want to run strict then add whitelist for companies we deal with because we can't get the mail through. Whitelisting is cancelling out the security, so I'm told.

 

So basically, is it better to downgrade it?

4 Replies
In general, Strict is recommended for IT or "High Value Targets" where the risk of compromise would cause significant material damage to the organization. Standard is recommended for the common user where there is higher tolerance for risk. Obviously, no one wants to have any user account get taken over, but you have to weigh the balance of security versus productivity.
If it helps, I work with hundreds of companies and I am not aware of very many who put all users into the Strict mode - I can probably count those orgs on one hand.
Are you looking at the reasons why mails are going to the hosted quarantine? Depending on the problem(s) there are several places you could exempt a sending organisation, depending on the cause. The curative measure selected also determines how big a "loophole" you are knocking in your defences.

Do you need to run the same policy for all of your internal recipients? Are some more in need of protection than others? Of course the analyser won't like that; it will [redact] and moan about the group you have on the less secure policy, but now you're thinking for yourself rather than taking an auto-recommendation.
Yes, we have had a couple of important meetings missed as they went to quarantine.
I'm trying to not cause the loophole as you mentioned.
Many thanks
We are data analysts with an IT side. But our IT except mine is off-site on other's hardware.
I set the strict in the first place trying to do the best for the company (I'm self-taught), but I agree I think It's too tight for us.

Important meetings got missed because they were in quarantine whilst on strict. I have a temp company exemption whilst we get the project finished.

I think we have 2 options
1) Run standard and reduce security but less aggro so we can conduct business.
Or
2) I run Strict and revert the "If a message is protection" settings in the policies and just send to junk instead, so it stops the quarantine stuff piling up. I have quarantine set against pretty much any detection, atm.

Question, if I may, which would you choose of those 2?

Thanks for the Insight