cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Defender for Office Policy Assignment by Domain

robinhailey
Copper Contributor

‎Feb 09 2024 11:43 AM - edited ‎Feb 09 2024 11:43 AM

‎Feb 09 2024 11:43 AM - edited ‎Feb 09 2024 11:43 AM

Defender for Office Policy Assignment by Domain

Hello -

 

Sorry, this is a little bit long...

 

We've been testing MDO and have run into an issue that seems like a 'bug' but, I've been unable to find any other reports of it online.  I have a ticket open with MS but, that's moving along very slowly as they're insistent on re-doing all the troubleshooting I've already done.  But, I digress...

 

The problem we've found is in the MDO policy assignment - confirmed in anti-phish and anti-malware.  If I assign the policy to a user and/or group/DL, the policy works as expected.  However, if I use the domain assignment (as we were hoping to do for the full deployment), the assigned policy is being ignored and the message(s) is being passed on to the Default policy.

 

For example, I have a custom anti-malware policy that's my priority 0 policy.  In it, I have assigned a specific group with some test accounts.  I also assigned a domain (one of my owned/registered tenant domains). I also added a specific file extension to the disallowed list so that I could test.  Then, I send a test email, with an attachment with that extension, to an account that's a member of the assigned group as well as another account that's a member of the assigned domain.  The expectation is that both of those messages should be blocked.

However, that's not the case.  The message to the account that's part of the assigned group is blocked (as expected) but, the message to the accounts that's part of the assigned domain is successfully delivered (attachment and all).  It doesn't seem to matter which accounts, groups or domains I use, I can readily repeat the issue everytime.

 

As an additional test, I added a random extension to the block list of the Default malware policy - one that's not included in my custom policy - and sent test emails again with an attachment of that file type.  The expectation being that all accounts should receive the message.  But, nope, that's not what happened. The account(s) assigned to the custom policy by group/account received the message (as expected) and the one assigned by domain was blocked.

 

To me, that's pretty clear evidence that there's some kind of issue with domain assignment in the policies.  That particular message basically bypassed the policy to which it was assigned and was handled by the Default policy.

 

As mentioned, I haven't found any other similar reports online, and to this point, Microsoft hasn't alluded to any issues.  Surely others are using domains to assign their MDO policies.  Has anyone run into this and, if so, have you found some sort of resolution for it?

 

Thanks,

Robin

813 Views
0 Likes
10 Replies
Reply
10 Replies
Joe Stocker

‎Feb 10 2024 04:48 PM

‎Feb 10 2024 04:48 PM

Re: Defender for Office Policy Assignment by Domain

Just curious if you verified whether the test account has a Microsoft Defender for Office license assigned to it? Sometimes people think the functionality works as long as there is just one paid license in a tenant whereas sometimes the license must be assigned to all users where the protection is applied.
0 Likes
Reply
MatejKlemencic

‎Feb 11 2024 02:18 AM

‎Feb 11 2024 02:18 AM

Re: Defender for Office Policy Assignment by Domain

Is your setup based on an Exchange Hybrid environment? Are your MX records pointing directly to Exchange Online? Have you attempted applying the custom anti-malware policy to your onmicrosoft.com domain as well?

0 Likes
Reply
robinhailey

‎Feb 12 2024 10:49 AM

‎Feb 12 2024 10:49 AM

Re: Defender for Office Policy Assignment by Domain

Joe, thanks for that.
The accounts I'm testing with are all shared mailbox accounts (so, either unlicensed or, in one case, an EOP1).
I hadn't considered the licensing status as a potential issue because when I assign the accounts specifically - either as an individual or as part of a group - the policies seem to apply correctly. It's only when I don't assign them individually, relying on the domain assignment, that the problem occurs.
I'll test with a licensed account and see if that makes any difference.

Robin
0 Likes
Reply
robinhailey

‎Feb 12 2024 10:54 AM

‎Feb 12 2024 10:54 AM

Re: Defender for Office Policy Assignment by Domain

Hi MatejKlemencic
Thanks for replying. No, our Exchange is fully cloud based (no hybrid). For the accounts/domains in question, yes, the MX records are pointing directly to Exchange Online. I've not tried adding the onmicrosoft.com domain but will do that. If that were to work, what would that tell me about the associated primary domain?

Thanks,
Robin
0 Likes
Reply
MatejKlemencic

‎Feb 12 2024 11:50 AM

‎Feb 12 2024 11:50 AM

Re: Defender for Office Policy Assignment by Domain

Hi @robinhailey 

Give it a try despite the odds. I've encountered unusual email routing between onmicrosoft.com and customer owned domains. Consider creating a policy through PowerShell as well; it has proven helpful in the past https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-policies-c...

 

Keep in mind that Anti-Malware is part of EOP not MDO > https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/eop-about?view=o365-wor...

 

0 Likes
Reply
robinhailey

‎Feb 12 2024 01:30 PM

‎Feb 12 2024 01:30 PM

Re: Defender for Office Policy Assignment by Domain

@Joe Stocker
Just an FYI, using a licensed account (E5) instead of the shared mailbox didn't change the outcome. Messages are still skipping the assigned policy, when assigned by domain.
1 Like
Reply
robinhailey

‎Feb 12 2024 01:34 PM

‎Feb 12 2024 01:34 PM

Re: Defender for Office Policy Assignment by Domain

Hi @MatejKlemencic -
Thanks - I haven't had a chance, yet, to try the onmicrosoft suggestion yet.
I was thinking I should try recreating the policies (again) - maybe this time I'll do it via Powershell.

Just as an FYI, it's not just the anti-malware that this is happening on. I've confirmed it's doing the same thing with the anti-phishing policy as well. I haven't tested the others, was just assuming they weren't going to behave in the same manner.
1 Like
Reply
robinhailey

‎Feb 15 2024 01:54 PM

‎Feb 15 2024 01:54 PM

Re: Defender for Office Policy Assignment by Domain

@Joe Stocker / @MatejKlemencic

Some additional info I've discovered today after some further testing.
I recreated a couple of the policies from scratch (again) just in case something was a little goofy with them.

Immediately upon doing that, I added only domains to the assignment. I then sent some test messages to users in those domains - low and behold, the tests were received/rejected as I was expecting.

So, I added a specific user to the assignment (user was not part of any of the domains) and re-tested. The test messages were then received/rejected incorrectly - as they'd been previously. I removed the user, again leaving just the domains, and retested. The test messages were again received/rejected correctly.

I tried the same test but with a group assigned (in place of the user) and the domains. Same thing: with the group assigned, the receptions/rejections were incorrect. Remove the group and all is well.

So, it seems the problem I'm having isn't the domain assignment, specifically, but, when the assignments are mixed between domain and user/group. Do either of you have mixed assignments on your policies?

Thanks,
Robin
0 Likes
Reply
best response confirmed by robinhailey (Copper Contributor)
robinhailey

‎Feb 22 2024 11:48 AM

‎Feb 22 2024 11:48 AM

Solution

Re: Defender for Office Policy Assignment by Domain

I just wanted to come back and post what I learned from my Microsoft case on this issue. Apparently, if you use multiple conditions for policy assignments - ie user, group and/or domain - those are AND conditions so the recipient must match all of the assignment types.

For example, if I add email address removed for privacy reasons and then the group email address removed for privacy reasons - where email address removed for privacy reasons includes 'user2' and 'user3'. An email sent to user1 will NOT be scanned by the policy because user1 is not also part of the group.

This is documented here (this is the malware doc but, you can find the same blurb in the others):

https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection...

I can't fully wrap my head around why the logic was setup that way but, at least I have an answer to my issue. Hopefully this will help someone in the future that may run into the same issue.

Thanks to @Joe Stocker / @MatejKlemencic for taking the time to respond.
2 Likes
Reply
ExMSW4319

‎Feb 24 2024 05:55 AM

‎Feb 24 2024 05:55 AM

Re: Defender for Office Policy Assignment by Domain

Thank-you for completing this thread. It has been an instructive case.
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by robinhailey (Copper Contributor)
robinhailey

‎Feb 22 2024 11:48 AM

‎Feb 22 2024 11:48 AM

Solution

Re: Defender for Office Policy Assignment by Domain

I just wanted to come back and post what I learned from my Microsoft case on this issue. Apparently, if you use multiple conditions for policy assignments - ie user, group and/or domain - those are AND conditions so the recipient must match all of the assignment types.

For example, if I add email address removed for privacy reasons and then the group email address removed for privacy reasons - where email address removed for privacy reasons includes 'user2' and 'user3'. An email sent to user1 will NOT be scanned by the policy because user1 is not also part of the group.

This is documented here (this is the malware doc but, you can find the same blurb in the others):

https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection...

I can't fully wrap my head around why the logic was setup that way but, at least I have an answer to my issue. Hopefully this will help someone in the future that may run into the same issue.

Thanks to @Joe Stocker / @MatejKlemencic for taking the time to respond.

View solution in original post

2 Likes
Reply