Configuration analyzer for protection policies in EOP and Microsoft Defender for Office 365

Important

The improved Microsoft 365 security center is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.

Applies to

Configuration analyzer in the Microsoft 365 Defender portal provides a central location to find and fix security policies where the settings are below the Standard protection and Strict protection profile settings in preset security policies.

The following types of policies are analyzed by the configuration analyzer:

The Standard and Strict policy setting values that are used as baselines are described in Recommended settings for EOP and Microsoft Defender for Office 365 security.

What do you need to know before you begin?

  • You open the Microsoft 365 Defender portal at https://security.microsoft.com. To go directly to the Configuration analyzer page, use https://security.microsoft.com/configurationAnalyzer.

  • To connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell.

  • You need to be assigned permissions in the Microsoft 365 Defender portal before you can do the procedures in this article:

    • To use the configuration analyzer and make updates to security policies, you need to be a member of the Organization Management or Security Administrator role groups.
    • For read-only access to the configuration analyzer, you need to be a member of the Global Reader or Security Reader role groups.

    For more information, see Permissions in the Microsoft 365 Defender portal.

    Note

    • Adding users to the corresponding Azure Active Directory role gives users the required permissions in the Microsoft 365 Defender portal and permissions for other features in Microsoft 365. For more information, see About admin roles.

    • The View-Only Organization Management role group in Exchange Online also gives read-only access to the feature.

Use the configuration analyzer in the Microsoft 365 Defender portal

In the Microsoft 365 Defender portal, go to Email & collaboration > Policies & rules > Threat policies > Templated policies section > Configuration analyzer.

The Configuration analyzer page has two main tabs:

  • Settings and recommendations: You pick Standard or Strict and compare those settings to your existing security policies. In the results, you can adjust the values of your settings to bring them up to the same level as Standard or Strict.
  • Configuration drift analysis and history: This view allows you to track policy changes over time.

Setting and recommendations tab in the configuration analyzer

By default, the tab opens on the comparison to the Standard protection profile. You can switch to the comparison of the Strict protection profile by selecting View Strict recommendations. To switch back, select View Standard recommendations.

Settings and recommendations view in the Configuration analyzer

By default, the Policy group/setting name column contains a collapsed view of the different types of security policies and the number of settings that need improvement (if any). The types of policies are:

  • Anti-spam
  • Anti-phishing
  • Anti-malware
  • Safe Attachments (if your subscription includes Microsoft Defender for Office 365)
  • Safe Links (if your subscription includes Microsoft Defender for Office 365)

In the default view, everything is collapsed. Next to each policy, there's a summary of comparison results from your policies (which you can modify) and the settings in the corresponding policies for the Standard or Strict protection profiles (which you can't modify). You'll see the following information for the protection profile that you're comparing to:

  • Green: All settings in all existing policies are at least as secure as the protection profile.
  • Amber: A small number of settings in the existing policies are not as secure as the protection profile.
  • Red: A significant number of settings in the existing policies are not as secure as the protection profile. This could be a few settings in many policies or many settings in one policy.

For favorable comparisons, you'll see the text: All settings follow <Standard or Strict> recommendations. Otherwise, you'll see the number of recommended settings to change.

If you expand Policy group/setting name, all of the policies and the associated settings in each specific policy that require attention are revealed. Or, you can expand a specific type of policy (for example, Anti-spam) to see just those settings in those types of policies that require your attention.

If the comparison has no recommendations for improvement (green), expanding the policy reveals nothing. If there are any number of recommendations for improvement (amber or red), the settings that require attention are revealed, and corresponding information is revealed in the following columns:

  • Policy group/setting name: The name of the setting that requires your attention. For example, in the previous screenshot, it's the settings in the default anti-spam policy.
  • Policy: The name of the affected policy that contains the setting.
  • Applied to: The number of users that the affected policies are applied to.
  • Current configuration: The current value of the setting. For the default policy of that type that applies to all recipients, this value is blank.
  • Last modified: The date that the policy was last modified.
  • Recommendations: The value of the setting in the Standard or Strict protection profile. To change the value of the setting in your policy to match the recommended value in the protection profile, click Adopt. If the change is successful, you'll see the message: Recommendations successfully adopted. Click Refresh to see the reduced number of recommendations, and the removal of the specific setting/policy row from the results.

Configuration drift analysis and history tab in the configuration analyzer

This tab allows you to track the changes that you've made to your custom security policies. By default, the following information is displayed:

  • Last modified
  • Modified by
  • Setting Name
  • Policy
  • Type
  • Configuration change
  • Configuration drift: The value Increase or Decrease.

To filter the results, click Filter. In the Filters flyout that appears, you can select from the following filters:

  • Start time and End time (date)
  • Standard protection or Strict protection

To export the results to a .csv file, click Export.

Configuration drift analysis and history view in the Configuration analyzer