T O P

Office365: Order & Precedence of Protection Rules

Deep within Microsoft’s documentation ecosystem lies this document – the order in which various spam filters are applied to incoming emails!

The order of processing for the email protection type: This order isn’t configurable, and is described in the following table:

OrderEmail protectionCategoryWhere to manage
1MalwareCAT:MALWConfigure anti-malware policies in EOP
2High confidence phishingCAT:HPHSHConfigure anti-spam policies in EOP
3PhishingCAT:PHSHConfigure anti-spam policies in EOP
4High confidence spamCAT:HSPMConfigure anti-spam policies in EOP
5SpoofingCAT:SPOOFSpoof intelligence insight in EOP
6*User impersonation (protected users)CAT:UIMPConfigure anti-phishing policies in Microsoft Defender for Office 365
7*Domain impersonation (protected domains)CAT:DIMPConfigure anti-phishing policies in Microsoft Defender for Office 365
8*Mailbox intelligence (contact graph)CAT:GIMPConfigure anti-phishing policies in Microsoft Defender for Office 365
9SpamCAT:SPMConfigure anti-spam policies in EOP
10BulkCAT:BULKConfigure anti-spam policies in EOP

Audit Error – Office365

Recently, I was trying to perform an audit search on an Office365 organization and found auditing wasn’t enabled. When I tried to do it straight from the audit screen, I encountered this error:

Sorry! We couldn’t update your organization settings. Please try again.

I went straight to PowerShell and ran Get-AdminAuditLogConfig | FL Unified* and it was not enabled.

To resolve this, I ran Enable-OrganizationCustomization 

And then I ran the Powershell command Set-AdminAuditLogConfig – UnifiedAuditLogIngestionEnabled $true

And that did it!

Getting Inbox or Mailbox Rules in Office365 via Powershell

First, login to your tenant via Powershell using Microsoft’s new Exchange V2 Powershell module.

We’re going to be using the Get-InboxRule commandlet. If you run it outright, you’ll see a limited list of Inbox rules across your tenant. To narrow things down, you can use Get-InboxRule -Mailbox [user] to get rules for a specific user. Using the -Identity parameter will not work for this! Identity is for specifying specific Inbox rules. You can use wildcards, so you could do Get-InboxRule -Mailbox jeff*

The results will be:

From here, you can use the -Identity parameter to get information on specific rules such as their date of creation, what they actually do, and more!

Check it out.

Issues Upgrading Windows 10 Pro to Enterprise with AzureAD and E5 Licenses

A client of ours wanted to upgrade their Windows 10 Professional licenses to Windows 10 Enterprise by way of E5 licensing in Office365 / Azure Active Directory.

Most computers worked fine, but a few just didn’t work and upgrade as they should have. There isn’t a lot of documentation on this, so I thought I’d put out there what worked for us and what we found. I ended up opening a ticket with Microsoft Escalated Support and worked with a rep over a few weeks.

First and foremost, make sure in Office365 that the E5 license has the option checked off for Windows 10 Enterprise.

First Troubleshooting Recommendation: dsregcmd

Run dsregcmd /status on the affected machine as the logged in user (and not a System or admin account).

If WamDefaultSet : ERROR and / or AzureAdPrt : NO are found, these would indicate an issue on Azure’s end. You want to see both answered with YES. These fields indicate whether the user has successfully authenticated to Azure AD when signing in to the device.

If the values are NO, it could be due to:

  • Bad storage key in the TPM associated with the device upon registration (check the KeySignTest while running elevated).
  • Alternate Login ID
  • HTTP Proxy not found