Configuration analyzer in the Microsoft Defender portal provides a central location to find and fix security policies where the settings are less secure than the Standard protection and Strict protection profile settings in preset security policies.
The following types of policies are analyzed by the configuration analyzer:
Exchange Online Protection (EOP) policies: Includes Microsoft 365 organizations with Exchange Online mailboxes and standalone EOP organizations without Exchange Online mailboxes:
You need to be assigned permissions before you can do the procedures in this article. You have the following options:
Microsoft Defender XDR Unified role based access control (RBAC) (If Email & collaboration > Defender for Office 365 permissions is Active. Affects the Defender portal only, not PowerShell): Authorization and settings/Security settings/Core Security settings (manage) or Authorization and settings/Security settings/Core Security settings (read).
Use the configuration analyzer and update the affected security policies: Membership in the Organization Management or Security Administrator role groups.
Read-only access to the configuration analyzer: Membership in the Global Reader or Security Reader role groups.
Exchange Online permissions: Membership in the View-Only Organization Management role group gives read-only access to the configuration analyzer.
Microsoft Entra permissions: Membership in the Global Administrator*, Security Administrator, Global Reader, or Security Reader roles gives users the required permissions and permissions for other features in Microsoft 365.
Važno
* Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
Use the configuration analyzer in the Microsoft Defender portal
The Configuration analyzer page has three main tabs:
Standard recommendations: Compare your existing security policies to the Standard recommendations. You can adjust your settings values to bring them up to the same level as Standard.
Strict recommendations: Compare your existing security policies to the Strict recommendations. You can adjust your settings values to bring them up to the same level as Strict.
Configuration drift analysis and history: Audit and track policy changes over time.
Standard recommendations and Strict recommendations tabs in the configuration analyzer
By default, the configuration analyzer opens on the Standard recommendations tab. You can switch to the Strict recommendations tab. The settings, layout, and actions are the same on both tabs.
The first section of the tab displays the number of settings in each type of policy that need improvement as compared to Standard or Strict protection. The types of policies are:
Anti-spam
Anti-phishing
Anti-malware
Safe Attachments (if your subscription includes Microsoft Defender for Office 365)
Safe Links (if your subscription includes Microsoft Defender for Office 365)
DKIM
Built-in Protection (if your subscription includes Microsoft Defender for Office 365)
Outlook
If a policy type and number isn't shown, then all of your policies of that type meet the recommended settings of Standard or Strict protection.
The rest of the tab is the table of settings that need to be brought up to the level Standard or Strict protection. The table contains the following columns*:
Recommendations: The value of the setting in the Standard or Strict protection profile.
Policy: The name of the affected policy that contains the setting.
Policy group/setting name: The name of the setting that requires your attention.
Policy type: Anti-spam, Anti-phishing, Anti-malware, Safe Links, or Safe Attachments.
Current configuration: The current value of the setting.
Last modified: The date that the policy was last modified.
Status: Typically, this value is Not started.
* To see all columns, you likely need to do one or more of the following steps:
Horizontally scroll in your web browser.
Narrow the width of appropriate columns.
Zoom out in your web browser.
To filter the entries, select Filter. The following filters are available in the Filters flyout that opens:
Anti-spam
Anti-phishing
Anti-malware
Safe Attachments
Safe Links
ATP Built-in Protection rule
DKIM
Outlook
When you're finished in the Filters flyout, select Apply. To clear the filters, select Clear filters.
Use the Search box and a corresponding value to find specific entries.
View details about a recommended policy setting
On the Standard protection or Strict protection tab of the configuration analyzer, select an entry by clicking anywhere in the row other than the check box next to the recommendation name. In the details flyout that opens, the following information is available:
Policy: The name of the affected policy.
Why?: Information about why we recommend the value for the setting.
The specific setting to change and the value to change it to.
View policy: The link takes you to the details flyout of the affected policy in the Microsoft Defender portal where you can manually update the setting.
To see details about other recommendations without leaving the details flyout, use Previous and Next at the top of the flyout.
When you're finished in the details flyout, select Close.
Take action on a recommended policy setting
On the Standard protection or Strict protection tab of the configuration analyzer, select an entry by selecting the check box next to the recommendation name. The following actions appear on the page:
Apply recommendation: If the recommendation requires multiple steps, this action is grayed out.
When you select this action, a confirmation dialog (with the option to not show the dialog again) opens. When you select OK, the following things happen:
The setting is updated to the recommended value.
The recommendation is still selected, but the only available action is Refresh.
The Status value for the row changes to Complete.
View policy: You're taken to the details flyout of the affected policy in the Microsoft Defender portal where you can manually update the setting.
Export: Exports the selected recommendation to a .csv file, select Export.
You can also export recommendations after you select multiple recommendations or after you select all recommendations by selecting the check box next to the Recommendations column header.
After you automatically or manually update the setting, select Refresh to see the reduced number of recommendations and the removal of the updated row from the results.
Configuration drift analysis and history tab in the configuration analyzer
This tab allows you to track the changes to your security policies and how those changes compare to the Standard or Strict settings. By default, the following information is displayed:
Last modified
Modified by
Setting Name
Policy: The name of the affected policy.
Type: Anti-spam, Anti-phishing, Anti-malware, Safe Links, or Safe Attachments.
Configuration change: The old value and the new value of the setting
Configuration drift: The value Increase or Decrease that indicates the setting increased or decreased security compared to the recommended Standard or Strict setting.
To filter the entries, select Filter. The following filters are available in the Filters flyout that opens:
Date: Start time and End time. You can go back as far as 90 days from today.
Type: Standard protection or Strict protection.
When you're finished in the Filters flyout, select Apply. To clear the filters, select Clear filters.
Use the Search box to filter the entries by a specific Modified by, Setting name, or Type value.
To export the entries shown on the Configuration drift analysis and history tab to a .csv file, select Export.
This module examines how Microsoft Defender for Office 365 extends EOP protection through various tools, including Safe Attachments, Safe Links, spoofed intelligence, spam filtering policies, and the Tenant Allow/Block List.
What are best practices for Exchange Online Protection (EOP) and Defender for Office 365 security settings? What's the current recommendations for standard protection? What should be used if you want to be more strict? And what extras do you get if you also use Defender for Office 365?
Admins can learn how to apply Standard and Strict policy settings across the protection features of Exchange Online Protection (EOP) and Microsoft Defender for Office 365
Step to set up preset security policies in Microsoft Defender for Office 365 so you have the security recommended by the product. Preset policies set a security profile of either *Standard* or *Strict*. Set these and Microsoft Defender for Office 365 will manage and maintain these security controls for you.
Zero-hour auto purge (ZAP) moves delivered messages in Microsoft 365 mailboxes to the Junk Email folder or quarantine if those messages are retroactively found to be spam, phishing, or contain malware.
Admins can learn how the order of protection settings and the priority order of security policies affect the application of security policies in Microsoft 365.