Pilot Microsoft Defender for Office 365

Applies to:

  • Microsoft 365 Defender

This article is Step 3 of 3 in the process of setting up the evaluation environment for Microsoft Defender for Office 365. For more information about this process, see the overview article.

Use the following steps to set up and configure the pilot for Microsoft Defender for Office 365.

The steps for creating the pilot in the Microsoft Defender for Office 365 portal.

When you evaluate Microsoft Defender for Office 365, you might choose to pilot specific users before enabling and enforcing policies for your entire organization. Creating distribution groups can help manage the deployment processes. For example, create groups such as Defender for Office 365 Users - Standard Protection, Defender for Office 365 Users - Strict Protection, Defender for Office 365 Users - Custom Protection, or Defender for Office 365 Users - Exceptions.

It might not be evident why 'Standard' and 'Strict' are the terms used for these groups, but that will become clear when you explore more about Defender for Office 365 security presets. Naming groups 'custom' and 'exceptions' speak for themselves, and though most of your users should fall under standard and strict, custom and exception groups will collect valuable data for you regarding managing risk.

Step 1: Create pilot groups

Distribution groups can be created and defined directly in Exchange Online or synchronized from on-premises Active Directory.

  1. Sign in to the Exchange Admin Center (EAC) at https://admin.exchange.microsoft.com using an account that has been granted Recipient Administrator role or been delegated group management permissions.

  2. Go to Recipients > Groups.

     The Groups menu item to be clicked.

  3. On the Groups page, select Add a group icon. Add a group.

    The Add a group option to be clicked.

  4. For group type, select Distribution, and then click Next.

     The Choose a group type section.

  5. Give the group a Name and and optional Description, and then click Next.

    The Set up the basics section.

  6. On the remaining pages, assign an owner, add members to the group, set the email address, join-depart restrictions, and other settings.

Step 2: Configure protection

Some capabilities in Defender for Office 365 are configured and turned on by default, but security operations might want to raise the level of protection from the default.

Some capabilities are not yet configured. You have the following options for configuring protection:

  • Assign users to preset security policies: Preset security policies are provided as a method to quickly assign a uniform level of protection across all of the capabilities. You can choose from Standard or Strict protection. The advantage here is that you protect groups of users as quickly as possible. This disadvantage here is that you can't customize most of the settings in preset security policies (for example, you can't change an action from Deliver to recipients' Junk Email folders to Quarantine or vice-versa). Also keep in mind that preset security policies are always applied before custom policies. So, if you want to create and use any custom policies, you'll need to exclude users in those custom policies from preset security policies.

  • Configure custom protection policies: If you prefer to configure the environment yourself, you can quickly achieve a baseline of protection by following the guidance in Protect against threats. With this approach, you get to learn more about the settings that are configurable. And, you can fine-tune the policies later.

    You can also build and assign custom protection policies as part of your evaluation. Before you start customizing policies, it's important to understand the precedence in which these protection policies are applied and enforced. Security operations will need to create and/or configure some policies, even if when the preset is applied.

  • Assign preset security policies automatically: Preset security policies are provided as a method to quickly assign a uniform level of protection across all of the capabilities. You can choose from Standard or Strict. A good approach is to start with preset security policies and then fine-tune the policies as you learn more about the capabilities and your own unique threat environment. The advantage here is that you protect groups of users as quickly as possible, with the ability to tweak protection afterward. (This method is recommended.)

  • Configure baseline protection manually: If you prefer to configure the environment yourself, you can quickly achieve a baseline of protection by following the guidance in Protect against threats. With this approach, you get to learn more about the settings that are configurable. And, you can fine-tune the policies later.

  • Configure custom protection policies: You can also build and assign custom protection policies as part of your evaluation. Before you start customizing policies, it's important to understand the precedence in which these protection policies are applied and enforced. Security ops will need to create some policies even if when the preset is applied, in specific in order to define security policies for Safe Links and Safe Attachments.

Important

If you need to configure custom protection policies, you should examine the values that make up the Standard and Strict security definitions here: Recommended settings for EOP and Microsoft Defender for Office 365 security. Default values, as seen before any configuration takes place are also listed. Keep a spreadsheet of where your custom build deviates.

Assign preset security policies

We recommended you begin with the recommended baseline policies when evaluating MDO and then refine them as needed over the course of your evaluation period.

You can enable preset security policies in EOP and Defender for Office 365 fast, and assign them to specific pilot users or defined groups as part of your evaluation. Preset policies offer a baseline Standard protection template or a more aggressive Strict protection template, which can be assigned independently.

For example, an EOP condition for pilot evaluations could be applied if the recipients are members of a defined EOP Standard Protection group, and then managed by adding accounts to, or removing account from, the group.

Likewise, a Defender for Office 365 condition for pilot evaluations could be applied if the recipients are members of a defined Defender for Office 365 Standard Protection group and then managed by adding / removing accounts via the group.

For complete instructions, see Use the Microsoft 365 Defender portal to assign Standard and Strict preset security policies to users.

Configure custom protection policies

The pre-defined Standard or Strict Defender for Office 365 policy templates give your pilot users the recommended baseline protection. However, you can also build and assign custom protection policies as part of your evaluation.

It's important to be aware of the precedence these protection policies take when applied and enforced, as explained in Order and precedence of email protection - Office 365 and Order of precedence for preset security policies and other policies.

The table below provides references and more guidance for configuring and assigning custom protection policies:

Policy Description Included in preset
security policies?
Default policy
available?
Reference
Connection filter policies Identify good or bad source email servers by IP address. No Yes Configure the default connection filter policy in EOP
Outbound spam filter policies Specify outbound message rate limits and control external email forwarding. No Yes Configure outbound spam filtering in EOP
Anti-malware policies Protect users from email malware including what actions to take and who to notify if malware is detected. Yes Yes Configure anti-malware policies in EOP
Anti-spam policies Protect users from email spam including what actions to take if spam is detected. Yes Yes Configure anti-spam policies in Defender for Office 365
Anti-spoofing protection Protect users from spoofing attempts using spoof intelligence and spoof intelligence insights. Yes Yes Configure spoof intelligence in Defender for Office 365

Configure anti-phishing policies in EOP
Impersonation protection Protect users from phishing attacks and configure safety tips on suspicious messages Yes, but some configuration required. Yes, but some configuration required. Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365

Impersonation insight in Defender for Office 365

Configure anti-phishing policies in Microsoft Defender for Office 365
Safe Attachments policies Protect users from malicious content in email attachments and files in SharePoint, OneDrive, and Teams. Yes Effectively, via Built-in protection Set up Safe Attachment policies in Defender for Office 365
Safe Links policies Protect users from opening and sharing malicious links in email messages or supported Office apps. Yes Effectively, via Built-in protection Set up Safe Links policies in Defender for Office 365

Step 3: Try out capabilities and get familiar with simulation, monitoring, and metrics

Now that your pilot is set up and configured, it's helpful to become familiar with the reporting, monitoring, and attack simulation tools that are unique to Microsoft Defender for Microsoft 365.

Capability Description More information
Threat Explorer Threat Explorer is a powerful near real-time tool to help Security Operations teams investigate and respond to threats and displays information about suspected malware and phish in email and files in Office 365, as well as other security threats and risks to your organization. Views in Threat Explorer and real-time detections
Attack simulation training You can use Attack simulation training in the Microsoft 365 Defender portal to run realistic attack scenarios in your organization, which help you identify and find vulnerable users before a real attack impacts your environment. Get started using Attack simulation training
Reports dashboard On the left navigation menu, click Reports and expand the Email & collaboration heading. The Email & collaboration reports are about spotting security trends some of which will allow you to take action (through buttons like 'Go to submissions'), and others that will show trends. These metrics are generated automatically. View email security reports in the Microsoft 365 Defender portal

View Defender for Office 365 reports in the Microsoft 365 Defender portal

Next steps

Evaluate Microsoft Defender for Endpoint

Return to the overview for Evaluate Microsoft Defender for Office 365

Return to the overview for Evaluate and pilot Microsoft 365 Defender