SOLVED
Home

O365 ATP - Ensuring Junk Email settings on Exchange Mailboxes are enabled for ZAP and Anti-spam

%3CLINGO-SUB%20id%3D%22lingo-sub-1285247%22%20slang%3D%22en-US%22%3EO365%20ATP%20-%20Ensuring%20Junk%20Email%20settings%20on%20Exchange%20Mailboxes%20are%20enabled%20for%20ZAP%20and%20Anti-spam%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1285247%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20looking%20at%20best%20practices%20for%20O365%20ATP%20deployment%20and%20have%20reviewed%20a%20ton%20of%20documentation%20and%20presentations%2C%20and%20understand%20the%20need%20to%20ensure%20that%20Junk%20Email%20Settings%20are%20enabled%20for%20all%20mailboxes%20for%20Ant-spam%20and%20ZAP%20to%20work%20as%20intended.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20trying%20to%20understand%20how%20an%20end%20user%20can%20disable%20it%20for%20their%20mailbox%20in%20the%20first%20place%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWithin%20Outlook%20the%20end%20user%20only%20has%20the%20ability%20to%20alter%20their%20Junk%20email%20options%2C%20but%20even%20setting%20the%20level%20to%20%22No%20Automatic%20Filtering%22%2C%26nbsp%3B%20doesn't%20disable%20Junk%20email%20for%20the%20mailbox%20as%20far%20as%20I%20can%20see%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20end%20user%20cannot%20delete%20the%20Junk%20Email%20folder%20from%20their%20mailbox%20either%20and%26nbsp%3B%20the%20Junk%20Email%20rule%20is%20a%20hidden%20inbox%20rule%20that%20end%20users%20cannot%20see.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20am%20I%20missing%20that%20users%20can%20do%20to%20potentially%20break%20%2F%20disable%20junk%20email%20settings%20on%20their%20mailbox%3F%20Or%20is%20this%20check%2C%20to%20guard%20against%20any%20admins%20having%20disabled%20Junk%20Email%20on%20user%20mailboxes%20in%20the%20past%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3EPaul%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1285247%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1378633%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20ATP%20-%20Ensuring%20Junk%20Email%20settings%20on%20Exchange%20Mailboxes%20are%20enabled%20for%20ZAP%20and%20Anti-spam%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1378633%22%20slang%3D%22en-US%22%3EEnd%20users%20can%20disable%20junk%20folder%20in%20OWA%3CBR%20%2F%3EClick%20on%20the%20Options%20tool%20at%20the%20top%20right%20of%20the%20OWA%20page.%3CBR%20%2F%3EClick%20on%20See%20All%20Options...%3CBR%20%2F%3EClick%20on%20Block%20or%20Allow%20in%20the%20column%20on%20the%20left.%3CBR%20%2F%3EClick%20to%20select%20the%20Don't%20move%20e-mail%20to%20my%20Junk%20E-Mail%20folder%20option%2C%20which%20is%20at%20the%20top.%3CBR%20%2F%3EAnd%20the%20more%20techie%20end-users%20can%20connect%20to%20Exchange%20Online%20PowerShell%20and%20they%20can%20run%20this%20command%20against%20their%20own%20user%20mailbox.%3CBR%20%2F%3EYou%20can%20prevent%20end-users%20from%20doing%20this%20by%20creating%20a%20custom%20policy%2C%20and%20you%20can%20also%20disable%20them%20from%20launching%20Exchange%20remote%20PowerShell%3A%3CBR%20%2F%3Efor%20a%20single%20user%3A%20Set-User%20-Identity%20david%40contoso.com%20-RemotePowerShellEnabled%20%24false%3CBR%20%2F%3Efor%20all%20users%3A%20get-user%20-resultsize%20unlimited%20%7C%20set-user%20-RemotePowerShellEnabled%20%24false%3CBR%20%2F%3E(just%20be%20sure%20to%20exclude%20yourself%20and%20other%20global%20admins%20otherwise%20you'll%20lock%20yourself%20out.)%3CBR%20%2F%3EYou%20can%20enable%20junk%20mail%20folder%20on%20all%20mailboxes%20with%20this%20one%20commnad%3A%3CBR%20%2F%3E%24All%20%3D%20Get-Mailbox%20-RecipientTypeDetails%20UserMailbox%20-ResultSize%20Unlimited%3B%20%24All%20%7C%20foreach%20%7BSet-MailboxJunkEmailConfiguration%20%24_.Name%20-Enabled%20%24true%7D%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20this%20was%20helpful%2C%20please%20mark%20as%20best%20answer.%20thanks!%3CBR%20%2F%3E-Joe%3C%2FLINGO-BODY%3E
Highlighted
Contributor

Hi All,

 

I am looking at best practices for O365 ATP deployment and have reviewed a ton of documentation and presentations, and understand the need to ensure that Junk Email Settings are enabled for all mailboxes for Ant-spam and ZAP to work as intended.

 

I am trying to understand how an end user can disable it for their mailbox in the first place?

 

Within Outlook the end user only has the ability to alter their Junk email options, but even setting the level to "No Automatic Filtering",  doesn't disable Junk email for the mailbox as far as I can see?

 

The end user cannot delete the Junk Email folder from their mailbox either and  the Junk Email rule is a hidden inbox rule that end users cannot see.

 

What am I missing that users can do to potentially break / disable junk email settings on their mailbox? Or is this check, to guard against any admins having disabled Junk Email on user mailboxes in the past?

 

Thanks

Paul

1 Reply
Highlighted
Solution
End users can disable junk folder in OWA
Click on the Options tool at the top right of the OWA page.
Click on See All Options...
Click on Block or Allow in the column on the left.
Click to select the Don't move e-mail to my Junk E-Mail folder option, which is at the top.
And the more techie end-users can connect to Exchange Online PowerShell and they can run this command against their own user mailbox.
You can prevent end-users from doing this by creating a custom policy, and you can also disable them from launching Exchange remote PowerShell:
for a single user: Set-User -Identity david@contoso.com -RemotePowerShellEnabled $false
for all users: get-user -resultsize unlimited | set-user -RemotePowerShellEnabled $false
(just be sure to exclude yourself and other global admins otherwise you'll lock yourself out.)
You can enable junk mail folder on all mailboxes with this one commnad:
$All = Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited; $All | foreach {Set-MailboxJunkEmailConfiguration $_.Name -Enabled $true}

If this was helpful, please mark as best answer. thanks!
-Joe