Microsoft Issues Updated Guidance for Defender for Office 365 Licensing
Some inconsistencies in the MDO P2 service description and licensing terms exposed a need for tenants to license every user and shared mailboxes. Microsoft has changed the service description and licensing terms to make them simpler. Mailboxes still need MDO licenses, but only if they benefit from MDO protection, including MDO P2 if that’s what they use. Tenant admins have some extra work to do to deploy policies. All explained here. https://office365itpros.com/2025/10/31/mdo-p2-licensing/
Compliance licenses at tenant level
Hi, We are a small organization of about 200 employees, and we have following requirements. DLP policies configuration at Exchange, OneDrive, SharePoint BYOD security Users should not be able to send files outside the org And so on as we evaluate We already have M365 Business Premium. However, after researching we figured out that M365 Business premium will alone not solve our requirements. May be compliance license will. We want to apply security policies at tenant level in our organization but definitely do not want every user to get licenses as this will be expensive for us and there is no requirement at all for our users. The question is, Is there a way to solve the above scenario?
Security Admin Center Tenant Allow/Block List Not Able to Block IPv4?
While using the Security Admin Center Tenant Allow/Block List we have been able to block specific email addresses and IPv6 IP addresses but are unable to block IPv4 IP addresses. We have tried both using the console and the CLI but have turned up unsuccessful both times when it comes to IPv4. A large majority of the phishing attempts that we encounter come from IPv4 addresses but we have been unable to block any of these. Will there ever be functionality for IPv4 within the Tenant Allow/Block list or is the only option to use conditional access policies? Also why is this enterprise tool only functional with IPv6 and without documentation stating that it does not work for IPv4?
Poor reporting capability
I'm finding the flexibility of exchange online protection and reporting in general to be terrible. I'm trying to get a report of cases where people have clicked a link that was later determined to be malicious. Including links, we have manually determined to be malicious and later zapped those emails. I have kind of done this in threat hunting however I need to run a query that starts older than the 30 days in threat hunting. Of course I don't have these going into sentinel or anything, so the data is gone. Someone suggested reports but I can see how or if there even is a way to report clicks on malicious links (based on them being later determined to be malicious and zapped). Any suggestions?Extract user access to Cloud Apps categories.
I’m having some issues with getting report data out of Defender for Cloud App. Short version is I want to get a report (or at the very least an export) of all users accessing sites in the Generative AI category. I can do this manually by following these steps: Open Cloud Discovery Click Discovered apps Enter Gnerative AI in the browser by category I now get a list of discovered sites but to get a list of users who have accessed them I have to: Click each app one at a time In each click Cloud app usage Click Users And finally export all users Imagine how long with would take for a category that has a high amount of usage and how inefficient this would be to provide monthly reporting. I tried to find a way to see in one step user activity for one Cloud App category, but I cannot. Any idea?Cloud app conditional access exceptions
I have a lot of issues with attackers coming from VPN and anonymous IP's. Im trialing a Conditional Access policy to apply Conditional Access App Control. Ive created a Cloud App, Access Policy to blocks using IP address, Category, equals and listing a few categories like VPN and Risky. Then another Access policy to block IP address, Tag, equals Tor, Anonymous, Random, Botnet etc. Testing shows this works. But I've been asked what if we wanted to allow a specific service like NordVPN. How can I achieve this?
Unable to whitelist quarantined emails
We have an email that is being constantly quarantined from a webform. The email comes from the email of the web form server, but is spoofing an internal address in our tenant by design. The email keeps getting blocked, and nothing we've tried as far as transport rules, whitelist additions, etc has been able to discernably affect this. There is a option to create a tenant allow list entry but the maximum duration is 45 days. We need a way to reliably whitelist an email indefinitely.
SPF, DKIM and DMARC bypassed for guest users
I manage a small non-profit using Microsoft 365 Business Basic. Most of the people on our board of directors are added as unlicensed guest users so that they can participate in Teams chats and meetings and to access our Sharepoint without using up a license. The problem: any email sent from an internal licensed user (or shared mailbox) to one of these guest users completely bypasses our domain's SPF, DKIM and DMARC configuration, resulting in bounced emails (particularly for recipients using gmail). Mail sent from an internal licensed user to any external address NOT registered as a guest user correctly passes SPF, DKIM and DMARC checks. I gather that this is because guest users are viewed as "internal" despite having external email addresses, but it seems like a serious limitation if I cannot reliably send email to anyone who is a guest user. Is there any extra configuration I can do to enable SPF, DKIM and DMARC for email to guest users?Microsoft Defender for Office 365, Shared Mailboxes, and Microsoft 365 Groups
Microsoft Defender for Office 365 (MDO) requires shared mailboxes to be licensed but doesn’t extend the same requirement to Microsoft 365 Groups. Given that Microsoft 365 Groups have group mailboxes and can function very much like shared mailboxes, the difference in licensing is remarkable. Why does this happen? It could be due to internal Microsoft politics, omissions, or just a preference for Groups. Who knows? https://office365itpros.com/2025/08/18/microsoft-defender-for-office-365-2/Defender vulnerability report
I've been working with Defender threat hunting to get stats on vulnerabilities in my environment. Once thing I wanted to do was to track total vulnerabilities over time for specific software rather than just a total. Problem is there doesn't seem to be a field in the DeviceTvmSoftwareVulnerabilities that records data\time when this vulnerability was detected\last seen etc. Without a date when it was seen for it to get a total each day. Ay ideas how I can get this? And no I don't have any other vulnerability scanning tools.
