Security
Scoping Office 365 ATP Policies
Policies within Office 365 ATP can be applied to (or scoped) in several ways, as in the screenshot below. By far the simplest method, and most secure, is to protect the entire domain. But what if your organization doesn’t own the licensing to cover everyone in the domain? This post will walk through an example of how to setup and configure the policies to be scoped to a specific group along with a couple of the configuration best practices.
Aside from applying O365 ATP policies to all users of a domain, applying to groups requires using an Exchange Online (EXO) distribution list (DL) or Microsoft 365 group. The challenge with using either of these, as you might suspect, is that users can send/receive messages and/or collaborate in that shared DL/group. So we need to further limit and restrict the actions that users can take. My examples/process below will focus on using an M365 Group.
- In Azure AD > Groups, create a new Microsoft 365 group. Create this group without any members since we’ll need to make other changes and test before adding production users.
Second, we need to configure this group to limit interactions/notifications with users . Before running these commands, there are a couple notes that are of great importance.
- The latest preview version of the EXO module needs to be used.
- To get these commands to function, it may be necessary to update [Windows 10] with the latest package management and PowerShellGet modules in order to have the latest Install-Module cmdlets that support newer parameters such as “AllowPrerelease”.
- After updating PowerShellGet, restart the PowerShell/ISE app.
Install-Module -Name PackageManagement -Repository PSGallery -Force
Install-Module -Name PowerShellGet -Repository PSGallery -Force- Install and import the Exchange Online PowerShell v2 module (if not already done). The abbreviated version of these instructions are as follows.
Install-Module -Name ExchangeOnlineManagement -RequiredVersion 2.0.3-Preview -AllowPrerelease
Import-Module -Name ExchangeOnlineManagement- Connect to Exchange Online instance (with admin user).
Connect-ExchangeOnline- Configure the group to be hidden in Office clients and in the GAL.
Set-UnifiedGroup -Identity "Group Name" -HiddenFromExchangeClientsEnabled:$true- Disable notifications to users about being added to the group.
Set-UnifiedGroup -Identity "Group Name" -UnifiedGroupWelcomeMessageEnable:$false 
Next, the group needs to be updated to restricted to accept only messages from a specific list of users.
- Update group settings in Exchange Online Admin Center > Recipients > Groups.
Finally, update the M365 group to:
- Update group to use a dynamic membership – single user to test and confirm settings as desired.
- Update group to use a dynamic membership – users assigned O365 ATP licenses.
- Scope O365 ATP policies (Safe Links, Safe Attachments, etc.) to the new M365 group.
Windows 10 Endpoint Security Matrix
Microsoft has a good matrix and comparison chart of the security product features built-in with Windows 10 Professional and Enterprise. Along with that matrix is a downloadable full comparison chart. What I really like about that full chart is that it compares Pro vs. Enterprise as a security function and capability, not just as a product name. Recently, I was asked if I could map the capability to the product name. As best as I could, below is the table that I created which marries those two by mapping the functionality to the product. Minus the licensing portion (Pro vs. Enterprise E3 vs. Enterprise E5) that is.
Functionality |
Product feature(s) |
| Attack Surface Reduction controls | |
| Integrity enforcement of operating system boot up process | System Guard |
| Integrity enforcement of sensitive operating system components | System Guard |
| Advanced vulnerability and zero-day exploit mitigations | Exploit Guard + WDAV |
| Reputation based network protection for Microsoft Edge, Internet Explorer and Chrome | SmartScreen |
| Host based firewall | Firewall |
| Ransomware mitigations | Exploit Guard + WDAV (with controlled folder access) |
| Hardware based isolation for Microsoft Edge | Application Guard |
| Application control powered by the Intelligent Security Graph | Application Control |
| Device Control (e.g.: USB) | Exploit Guard (hypervisor code integrity), MDATP (additional security) |
| Network protection for web-based threats | Exploit Guard |
| Enterprise management of hardware-based isolation for Microsoft Edge | Application Guard enterprise controls defined for internal/external sites |
| Host intrusion prevention rules | Exploit Guard (HIPS) |
| Customizable allow/deny lists (e.g.: IP/URL, Files, Certificates) | Exploit Gard (network protection) using MDATP |
| Device-based conditional access | MDATP integration with Intune device management |
| Centrally manageable tamper protection of operating system | MDATP |
| Next Generation Protection | |
| Pre-execution emulation executables and scripts | WDAV |
| Runtime behavior monitoring | WDAV |
| In memory anomaly and behavior monitoring | WDAV + Exploit Guard |
| Machine learning and AI based protection from viruses and malware threats | WDAV |
| Cloud protection for fastest responses to new/unknown webbased threats | WDAV (block at first sight) |
| Protection from fileless based attacks | WDAV + Exploit Guard |
| Advanced machine learning and AI based protection for apex level viruses and malware threats | WDAV + MDATP |
| Advanced cloud protection that includes deep inspection and detonation | MDATP |
| Emergency outbreak protection from the Intelligent Security Graph | WDAV + MDATP |
| Monitoring, analytics and reporting for Next Generation Protection capabilities | WDAV + MDATP |
| Endpoint Detection and Response | |
| Behavioral-based detection for advanced and targeted attacks (post-breach) | MDATP |
| Centralized security operations management with Windows Defender Security Center | MDATP |
| Rich investigation tools | MDATP |
| Forensic collection | MDATP |
| Response actions | MDATP |
| Advanced detonation service with deep file analysis | MDATP |
| Upload of Indicators of Compromise (IOC) for custom alerts | MDATP |
| Flexible hunting queries over historical data | MDATP |
| Custom alerts via powerful advanced hunting queries | MDATP |
| Discover and report SaaS app usage to MCAS | MDATP |
| Machine risk level to trigger conditional access | MDATP |
| Monitoring, analytics and reporting | MDATP |
| Automatic Investigation and Remediation | |
| Automated alert investigations using Artificial Intelligence | MDATP |
| Automated remediation of advanced threats | MDATP |
| Monitoring, analytics and reporting | MDATP |
| Security Score | |
| Assess and improve your organization security posture using Microsoft Secure Score for Windows | MDATP |
| Threat Analytics shows your organizations exposure to threats | MDATP |
| Security Management | |
| Monitoring, analytics and reporting | MDATP |
| Rich Power BI dashboards and reports | MDATP |
| Enterprise-grade Extensibility and Compliance | |
| Integrated endpoint protection for 3rd party platforms (macOS,Linux, iOS, Android) | MDATP (Note that Microsoft now has a client for macOS) |
| Open Graph APIs to integrate with your solutions | MDATP |
| Integration with Microsoft Advanced Threat Protection (ATP) products | MDATP |
| ISO 27001 compliance | MDATP |
| Geolocation and sovereignty of sample data | MDATP |
| Sample data retention policy | MDATP |
| Multi Factor and password-less Authentication | |
| Industry standards based multifactor authentication | Windows Hello for Business |
| Support for biometrics (Facial and Fingerprints) | Windows Hello for Business |
| Support for Microsoft Authenticator | Windows Hello for Business |
| Support for Microsoft compatible security key | Windows Hello for Business |
| Supports for Active Directory and Azure Active Directory | Windows Hello for Business |
| Credential Protection | |
| Hardware isolation of single sign-in tokens | Credential Guard |
| Centralized management, analytics, reporting, and operations | Credential Guard + MDATP |
| Full Volume Encryption | |
| Automatic encryption on capable devices | Win10 |
| Advanced encryption configuration options | BitLocker |
| Removable storage protection | BitLocker to Go |
| Direct Access & Always On VPN device Tunnel | Win10 |
| Centralized configuration mgmt, analytics, reporting, and security operations | MBAM (standalone, SCCM, Intune, MEM) + MDATP |
| Data Loss Prevention | |
| Personal and business data separation | Windows Information Protection |
| Application access control | Windows Information Protection |
| Copy and paste protection | Windows Information Protection |
| Removable storage protection | Windows Information Protection |
| Integration with Microsoft Information Protection | Windows Information Protection |
