Configuration analyzer for protection policies in EOP and Microsoft Defender for Office 365

Tip

Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub. Learn about who can sign up and trial terms here.

Applies to

• Exchange Online Protection
• Microsoft Defender for Office 365 plan 1 and plan 2
• Microsoft 365 Defender

Configuration analyzer in the Microsoft 365 Defender portal provides a central location to find and fix security policies where the settings are below the Standard protection and Strict protection profile settings in preset security policies.

The following types of policies are analyzed by the configuration analyzer:

• Exchange Online Protection (EOP) policies: This includes Microsoft 365 organizations with Exchange Online mailboxes and standalone EOP organizations without Exchange Online mailboxes:

  • Anti-spam policies.
  • Anti-malware policies.
  • EOP anti-phishing policies.

• Microsoft Defender for Office 365 policies: This includes organizations with Microsoft 365 E5 or Defender for Office 365 add-on subscriptions:

  • Anti-phishing policies in Microsoft Defender for Office 365, which include:
    • The same spoof settings that are available in the EOP anti-phishing policies.
    • Impersonation settings
    • Advanced phishing thresholds
  • Safe Links policies.
  • Safe Attachments policies.

The Standard and Strict policy setting values that are used as baselines are described in Recommended settings for EOP and Microsoft Defender for Office 365 security.

What do you need to know before you begin?

• You open the Microsoft 365 Defender portal at https://security.microsoft.com. To go directly to the Configuration analyzer page, use https://security.microsoft.com/configurationAnalyzer.

• To connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell.

• You need to be assigned permissions before you can do the procedures in this article. You have the following options:

  • Microsoft 365 Defender role based access control (RBAC): configuration/security (manage) or configuration/security (read). Currently, this option requires membership in the Microsoft 365 Defender Preview program.
  • Email & collaboration RBAC in the Microsoft 365 Defender portal:
    • Use the configuration analyzer and update the affected security policies: Membership in the Organization Management or Security Administrator role groups.
    • Read-only access to the configuration analyzer: Membership in the Global Reader or Security Reader role groups.
  • Exchange Online RBAC: Membership in the View-Only Organization Management role group gives read-only access to the configuration analyzer.
  • Azure AD RBAC: Membership in the Global Administrator, Security Administrator, Global Reader, or Security Reader roles gies users the required permissions and permissions for other features in Microsoft 365.

Use the configuration analyzer in the Microsoft 365 Defender portal

In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Email & Collaboration > Policies & Rules > Threat policies > Configuration analyzer in the Templated policies section. To go directly to the Configuration analyzer page, use https://security.microsoft.com/configurationAnalyzer.

The Configuration analyzer page has three main tabs:

• Standard recommendations: Compare your existing security policies to the Standard recommendations. You can adjust your settings values to bring them up to the same level as Standard.
• Strict recommendations: Compare your existing security policies to the Strict recommendations. You can adjust your settings values to bring them up to the same level as Strict.
• Configuration drift analysis and history: Audit and track policy changes over time.

Standard recommendations and Strict recommendations tabs in the configuration analyzer

By default, the configuration analyzer opens on the Standard recommendations tab. You can switch to the Strict recommendations tab. The settings, layout, and actions are the same on both tabs.

The first section of the tab displays the number of settings in each type of policy that need improvement as compared to Standard or Strict protection. The types of policies are:

• Anti-spam
• Anti-phishing
• Anti-malware
• Safe Attachments (if your subscription includes Microsoft Defender for Office 365)
• Safe Links (if your subscription includes Microsoft Defender for Office 365)

If a policy type and number isn't shown, then all of your policies of that type meet the recommended settings of Standard or Strict protection.

The rest of the tab is the table of settings that need to be brought up to the level Standard or Strict protection. The table contains the following columns:

• Recommendations: The value of the setting in the Standard or Strict protection profile.
• Policy: The name of the affected policy that contains the setting.
• Policy group/setting name: The name of the setting that requires your attention.
• Policy type: Anti-spam, Anti-phishing, Anti-malware, Safe Links, or Safe Attachments.
• Current configuration: The current value of the setting.
• Last modified: The date that the policy was last modified.
• Status: Typically, this value is Not started.

Change a policy setting to the recommended value

On the Standard protection or Strict protection tab of the configuration analyzer, select the row in the table. The following buttons appear:

• Apply recommendation
• View policy
• Refresh:

If you select a row and click Apply recommendation, a confirmation dialog (with the option to not show the dialog again) appears. If you click OK, the following things happen:

• The setting is updated to the recommended value.
• The Apply recommendation and View policy disappear (only the Refresh button remains).
• The Status value for the row changes to Complete.

If you select a row and click View policy you're taken to the details flyout of the affected policy in the Microsoft 365 Defender portal where you can manually update the setting.

After you automatically or manually update the setting, click Refresh to see the reduced number of recommendations and the removal of the updated row from the results.

Configuration drift analysis and history tab in the configuration analyzer

This tab allows you to track the changes that have been made to your security policies and how those changes compare to the Standard or Strict settings. By default, the following information is displayed:

• Last modified
• Modified by
• Setting Name
• Policy: The name of the affected policy.
• Type: Anti-spam, Anti-phishing, Anti-malware, Safe Links, or Safe Attachments.
• Configuration change: The old value and the new value of the setting
• Configuration drift: The value Increase or Decrease that indicates the setting increased or decreased security compared to the recommended Standard or Strict setting.

To filter the results, click Filter. In the Filters flyout that appears, you can select from the following filters:

• Start time and End time (date): You can go back as far as 90 days from today.
• Standard protection or Strict protection

When you're finished, click Apply.

To export the results to a .csv file, click Export.

To filter the results by a specific Modified by, Setting name, or Type value, use the Search box.