Scoping Office 365 ATP Policies

Posted on

Policies within Office 365 ATP can be applied to (or scoped) in several ways, as in the screenshot below. By far the simplest method, and most secure, is to protect the entire domain. But what if your organization doesn’t own the licensing to cover everyone in the domain? This post will walk through an example of how to setup and configure the policies to be scoped to a specific group along with a couple of the configuration best practices.

Aside from applying O365 ATP policies to all users of a domain, applying to groups requires using an Exchange Online (EXO) distribution list (DL) or Microsoft 365 group. The challenge with using either of these, as you might suspect, is that users can send/receive messages and/or collaborate in that shared DL/group. So we need to further limit and restrict the actions that users can take. My examples/process below will focus on using an M365 Group.

  1. In Azure AD > Groups, create a new Microsoft 365 group. Create this group without any members since we’ll need to make other changes and test before adding production users.

Second, we need to configure this group to limit interactions/notifications with users . Before running these commands, there are a couple notes that are of great importance.

  • The latest preview version of the EXO module needs to be used.
  • To get these commands to function, it may be necessary to update [Windows 10] with the latest package management and PowerShellGet modules in order to have the latest Install-Module cmdlets that support newer parameters such as “AllowPrerelease”.
  • After updating PowerShellGet, restart the PowerShell/ISE app.
Install-Module -Name PackageManagement -Repository PSGallery -Force
Install-Module -Name PowerShellGet -Repository PSGallery -Force
  1. Install and import the Exchange Online PowerShell v2 module (if not already done). The abbreviated version of these instructions are as follows.
Install-Module -Name ExchangeOnlineManagement -RequiredVersion 2.0.3-Preview -AllowPrerelease
Import-Module -Name ExchangeOnlineManagement
  1. Connect to Exchange Online instance (with admin user).
  1. Configure the group to be hidden in Office clients and in the GAL.
Set-UnifiedGroup -Identity "Group Name" -HiddenFromExchangeClientsEnabled:$true
  1. Disable notifications to users about being added to the group.
Set-UnifiedGroup -Identity "Group Name" -UnifiedGroupWelcomeMessageEnable:$false 

Next, the group needs to be updated to restricted to accept only messages from a specific list of users.

  1. Update group settings in Exchange Online Admin Center > Recipients > Groups.

Finally, update the M365 group to:

  1. Update group to use a dynamic membership – single user to test and confirm settings as desired.
  2. Update group to use a dynamic membership – users assigned O365 ATP licenses.
  3. Scope O365 ATP policies (Safe Links, Safe Attachments, etc.) to the new M365 group.

Windows 10 Endpoint Security Matrix

Posted on Updated on

Microsoft has a good matrix and comparison chart of the security product features built-in with Windows 10 Professional and Enterprise.  Along with that matrix is a downloadable full comparison chart. What I really like about that full chart is that it compares Pro vs. Enterprise as a security function and capability, not just as a product name.  Recently, I was asked if I could map the capability to the product name.  As best as I could, below is the table that I created which marries those two by mapping the functionality to the product.  Minus the licensing portion (Pro vs. Enterprise E3 vs. Enterprise E5) that is.


Product feature(s)

Attack Surface Reduction controls
Integrity enforcement of operating system boot up process System Guard
Integrity enforcement of sensitive operating system components System Guard
Advanced vulnerability and zero-day exploit mitigations Exploit Guard + WDAV
Reputation based network protection for Microsoft Edge, Internet Explorer and Chrome SmartScreen
Host based firewall Firewall
Ransomware mitigations Exploit Guard + WDAV (with controlled folder access)
Hardware based isolation for Microsoft Edge Application Guard
Application control powered by the Intelligent Security Graph Application Control
Device Control (e.g.: USB) Exploit Guard (hypervisor code integrity), MDATP (additional security)
Network protection for web-based threats Exploit Guard
Enterprise management of hardware-based isolation for Microsoft Edge Application Guard enterprise controls defined for internal/external sites
Host intrusion prevention rules Exploit Guard (HIPS)
Customizable allow/deny lists (e.g.: IP/URL, Files, Certificates) Exploit Gard (network protection) using MDATP
Device-based conditional access MDATP integration with Intune device management
Centrally manageable tamper protection of operating system MDATP
Next Generation Protection
Pre-execution emulation executables and scripts WDAV
Runtime behavior monitoring WDAV
In memory anomaly and behavior monitoring WDAV + Exploit Guard
Machine learning and AI based protection from viruses and malware threats WDAV
Cloud protection for fastest responses to new/unknown webbased threats WDAV (block at first sight)
Protection from fileless based attacks WDAV + Exploit Guard
Advanced machine learning and AI based protection for apex level viruses and malware threats WDAV + MDATP
Advanced cloud protection that includes deep inspection and detonation MDATP
Emergency outbreak protection from the Intelligent Security Graph WDAV + MDATP
Monitoring, analytics and reporting for Next Generation Protection capabilities WDAV + MDATP
Endpoint Detection and Response
Behavioral-based detection for advanced and targeted attacks (post-breach) MDATP
Centralized security operations management with Windows Defender Security Center MDATP
Rich investigation tools MDATP
Forensic collection MDATP
Response actions MDATP
Advanced detonation service with deep file analysis MDATP
Upload of Indicators of Compromise (IOC) for custom alerts MDATP
Flexible hunting queries over historical data MDATP
Custom alerts via powerful advanced hunting queries MDATP
Discover and report SaaS app usage to MCAS MDATP
Machine risk level to trigger conditional access MDATP
Monitoring, analytics and reporting MDATP
Automatic Investigation and Remediation
Automated alert investigations using Artificial Intelligence MDATP
Automated remediation of advanced threats MDATP
Monitoring, analytics and reporting MDATP
Security Score
Assess and improve your organization security posture using Microsoft Secure Score for Windows MDATP
Threat Analytics shows your organizations exposure to threats MDATP
Security Management
Monitoring, analytics and reporting MDATP
Rich Power BI dashboards and reports MDATP
Enterprise-grade Extensibility and Compliance
Integrated endpoint protection for 3rd party platforms (macOS,Linux, iOS, Android) MDATP (Note that Microsoft now has a client for macOS)
Open Graph APIs to integrate with your solutions MDATP
Integration with Microsoft Advanced Threat Protection (ATP) products MDATP
ISO 27001 compliance MDATP
Geolocation and sovereignty of sample data MDATP
Sample data retention policy MDATP
Multi Factor and password-less Authentication
Industry standards based multifactor authentication Windows Hello for Business
Support for biometrics (Facial and Fingerprints) Windows Hello for Business
Support for Microsoft Authenticator Windows Hello for Business
Support for Microsoft compatible security key Windows Hello for Business
Supports for Active Directory and Azure Active Directory Windows Hello for Business
Credential Protection
Hardware isolation of single sign-in tokens Credential Guard
Centralized management, analytics, reporting, and operations Credential Guard + MDATP
Full Volume Encryption
Automatic encryption on capable devices Win10
Advanced encryption configuration options BitLocker
Removable storage protection BitLocker to Go
Direct Access & Always On VPN device Tunnel Win10
Centralized configuration mgmt, analytics, reporting, and security operations MBAM (standalone, SCCM, Intune, MEM) + MDATP
Data Loss Prevention
Personal and business data separation Windows Information Protection
Application access control Windows Information Protection
Copy and paste protection Windows Information Protection
Removable storage protection Windows Information Protection
Integration with Microsoft Information Protection Windows Information Protection