To effectively configure Defender for Office 365, you’ll need to gather specific information from your customer. Here’s a structured list of queries, categorized for clarity:
I. General Information & Scope:
What is the primary goal of implementing Defender for Office 365? (e.g., enhanced phishing protection, malware prevention, BEC prevention, compliance, etc.)
Which specific licenses do you currently have that include Defender for Office 365? (e.g., Microsoft 365 E5, Office 365 E5, Microsoft 365 Business Premium, etc.)
Are you planning to deploy Defender for Office 365 to all users, or a subset? If a subset, how are these users identified (e.g., specific OUs, groups, departments)?
Do you have any existing third-party email security solutions in place? If so, will Defender for Office 365 replace them, or will they co-exist? If co-existing, how will they integrate or be configured to avoid conflicts?
II. Protection Policies – General:
What is your organization’s general risk tolerance for email-borne threats? (e.g., aggressive blocking, cautious quarantine, focus on user education).
Are there any specific types of threats you are most concerned about? (e.g., spear phishing, ransomware, BEC, zero-day exploits, impersonation).
Do you have any specific internal policies or compliance requirements related to email security that need to be met?
III. Anti-Malware Policies:
What action should be taken for detected malware in emails? (e.g., quarantine, delete message, redirect to admin).
Do you want to enable the common attachments filter? If so, are there any specific file types you want to block or allow?
Do you want to enable ZAP (Zero-hour Auto Purge) for malware?
IV. Anti-Spam Policies:
What is your organization’s tolerance for spam and bulk mail? (e.g., aggressive filtering, more lenient).
What actions should be taken for high confidence spam, spam, phishing, and bulk mail? (e.g., move to Junk Email folder, quarantine, redirect message).
Do you have any trusted senders or domains that should always bypass spam filtering? (Allow list).
Are there any specific senders or domains that should always be blocked? (Block list).
Do you want to enable ZAP for spam and phishing?
V. Anti-Phishing Policies (including Impersonation & Spoof Intelligence):
Which users, groups, or domains are considered high-value targets for impersonation? (e.g., C-level executives, finance department, specific domain names).
What action should be taken when an impersonated user or domain is detected? (e.g., redirect to admin, quarantine the message, move to Junk Email folder, don’t deliver).
Do you want to enable mailbox intelligence for impersonation protection?
How aggressively do you want to use spoof intelligence? (e.g., block all unauthenticated senders, allow some known legitimate spoofing scenarios).
Are there any specific internal or external domains that legitimately spoof your domain (e.g., third-party marketing services)? These would need to be added to the Tenant Allow/Block List.
VI. Safe Attachments Policies:
What action should be taken for attachments deemed unsafe by Safe Attachments? (e.g., Block, Monitor, Replace, Dynamic Delivery).
Do you want to apply Safe Attachments to SharePoint, OneDrive, and Microsoft Teams?
Do you have any specific file types that should always bypass Safe Attachments (though generally not recommended)?
VII. Safe Links Policies:
Which users, groups, or domains should Safe Links be applied to?
What action should be taken for malicious links? (e.g., block access to the URL).
Do you want to enable Safe Links for internal emails?
Do you want to enable Safe Links in Microsoft Teams?
Are there any specific URLs that should always be rewritten or never be rewritten by Safe Links? (e.g., internal application links, known legitimate marketing links).
VIII. Alerts & Reporting:
Who should receive alerts for detected threats? (e.g., security team, IT administrators, specific individuals).
What is the preferred method for receiving alerts? (e.g., email, Security & Compliance Center).
What level of detail is required in reports? (e.g., high-level summaries, detailed threat logs).
How often do you want to review reports on email security posture and detected threats?
IX. End-User Experience:
How do you want to handle quarantined messages for end-users? (e.g., allow users to release, require admin release, send daily quarantine notifications).
Do you want to allow users to report phishing or spam emails? If so, how should these reports be handled (e.g., submit to Microsoft, send to internal mailbox)?
What level of end-user education and communication will be provided regarding email security and Defender for Office 365?
X. Ongoing Management & Maintenance:
Who will be responsible for ongoing monitoring, tuning, and management of Defender for Office 365 policies?
What is your process for handling false positives and false negatives?
onelinecommand 