Scoping Office 365 ATP Policies
Policies within Office 365 ATP can be applied to (or scoped) in several ways, as in the screenshot below. By far the simplest method, and most secure, is to protect the entire domain. But what if your organization doesn’t own the licensing to cover everyone in the domain? This post will walk through an example of how to setup and configure the policies to be scoped to a specific group along with a couple of the configuration best practices.
Aside from applying O365 ATP policies to all users of a domain, applying to groups requires using an Exchange Online (EXO) distribution list (DL) or Microsoft 365 group. The challenge with using either of these, as you might suspect, is that users can send/receive messages and/or collaborate in that shared DL/group. So we need to further limit and restrict the actions that users can take. My examples/process below will focus on using an M365 Group.
- In Azure AD > Groups, create a new Microsoft 365 group. Create this group without any members since we’ll need to make other changes and test before adding production users.
Second, we need to configure this group to limit interactions/notifications with users . Before running these commands, there are a couple notes that are of great importance.
- The latest preview version of the EXO module needs to be used.
- To get these commands to function, it may be necessary to update [Windows 10] with the latest package management and PowerShellGet modules in order to have the latest Install-Module cmdlets that support newer parameters such as “AllowPrerelease”.
- After updating PowerShellGet, restart the PowerShell/ISE app.
Install-Module -Name PackageManagement -Repository PSGallery -Force Install-Module -Name PowerShellGet -Repository PSGallery -Force
- Install and import the Exchange Online PowerShell v2 module (if not already done). The abbreviated version of these instructions are as follows.
Install-Module -Name ExchangeOnlineManagement -RequiredVersion 2.0.3-Preview -AllowPrerelease Import-Module -Name ExchangeOnlineManagement
- Connect to Exchange Online instance (with admin user).
- Configure the group to be hidden in Office clients and in the GAL.
Set-UnifiedGroup -Identity "Group Name" -HiddenFromExchangeClientsEnabled:$true
- Disable notifications to users about being added to the group.
Set-UnifiedGroup -Identity "Group Name" -UnifiedGroupWelcomeMessageEnable:$false
Next, the group needs to be updated to restricted to accept only messages from a specific list of users.
- Update group settings in Exchange Online Admin Center > Recipients > Groups.
Finally, update the M365 group to:
- Update group to use a dynamic membership – single user to test and confirm settings as desired.
- Update group to use a dynamic membership – users assigned O365 ATP licenses.
- Scope O365 ATP policies (Safe Links, Safe Attachments, etc.) to the new M365 group.