Skip to content

MDOThreatPolicyChecker

Download the latest release: MDOThreatPolicyChecker.ps1

This script checks which Microsoft Defender for Office 365 and Exchange Online Protection threat policies cover a particular user, including anti-malware, anti-phishing, inbound and outbound anti-spam, as well as Safe Attachments and Safe Links policies in case these are licensed for your tenant. In addition, the script can check for threat policies that have inclusion and/or exclusion settings that may be redundant or confusing and lead to missed coverage of users or coverage by an unexpected threat policy.

It also includes an option to show all the actions and settings of the policies that apply to a user.

Common Usage

The script uses Exchange Online cmdlets from Exchange Online module and Microsoft.Graph cmdLets from Microsoft.Graph.Authentication, Microsoft.Graph.Groups and Microsoft.Graph.Users modules.

To run the PowerShell Graph cmdlets used in this script, you need only the following modules from the Microsoft.Graph PowerShell SDK: - Microsoft.Graph.Groups: Contains cmdlets for managing groups, including Get-MgGroup and Get-MgGroupMember. - Microsoft.Graph.Users: Includes cmdlets for managing users, such as Get-MgUser. - Microsoft.Graph.Authentication: Required for authentication purposes and to run any cmdlet that interacts with Microsoft Graph.

You can find the Microsoft Graph modules in the following link:
    https://www.powershellgallery.com/packages/Microsoft.Graph/
    https://learn.microsoft.com/en-us/powershell/microsoftgraph/installation?view=graph-powershell-1.0#installation

Here's how you can install the required submodules for the PowerShell Graph SDK cmdlets:

Install-Module -Name Microsoft.Graph.Authentication -Scope CurrentUser
Install-Module -Name Microsoft.Graph.Groups -Scope CurrentUser
Install-Module -Name Microsoft.Graph.Users -Scope CurrentUser

NOTE

Remember to run these commands in a PowerShell session with the appropriate permissions. The -Scope CurrentUser parameter installs the modules for the current user only, which doesn't require administrative privileges.

In the Graph connection you will need the following scopes 'Group.Read.All','User.Read.All'

Connect-MgGraph -Scopes 'Group.Read.All','User.Read.All'


You need as well an Exchange Online session.
Connect-ExchangeOnline

You can find the Exchange module and information in the following links:
    https://learn.microsoft.com/en-us/powershell/exchange/exchange-online-powershell-v2?view=exchange-ps
    https://www.powershellgallery.com/packages/ExchangeOnlineManagement

Examples:

To check all threat policies for potentially confusing user inclusion and/or exclusion conditions and print them out for review, run the following:

.\MDOThreatPolicyChecker.ps1

To provide a CSV input file with email addresses and see only EOP policies, run the following:

.\MDOThreatPolicyChecker.ps1 -CsvFilePath [Path\filename.csv]

To provide multiple email addresses by command line and see only EOP policies, run the following:

.\MDOThreatPolicyChecker.ps1 -EmailAddress user1@contoso.com,user2@fabrikam.com

To provide a CSV input file with email addresses and see both EOP and MDO policies, run the following:

.\MDOThreatPolicyChecker.ps1 -CsvFilePath [Path\filename.csv] -IncludeMDOPolicies

To provide an email address and see only MDO (Safe Attachment and Safe Links) policies, run the following:

.\MDOThreatPolicyChecker.ps1 -EmailAddress user1@contoso.com -OnlyMDOPolicies

To see the details of the policies applied to mailbox in a CSV file for both EOP and MDO, run the following:

.\MDOThreatPolicyChecker.ps1 -CsvFilePath [Path\filename.csv] -IncludeMDOPolicies -ShowDetailedPolicies

To get all mailboxes in your tenant and print out their EOP and MDO policies, run the following:

.\MDOThreatPolicyChecker.ps1 -IncludeMDOPolicies -EmailAddress @(Get-ExOMailbox -ResultSize unlimited | Select-Object -ExpandProperty PrimarySmtpAddress)

Parameters

Parameter Description
CsvFilePath Allows you to specify a CSV file with a list of email addresses to check. Csv file must include a first line with header Email.
EmailAddress Allows you to specify email address or multiple addresses separated by commas.
IncludeMDOPolicies Checks both EOP and MDO (Safe Attachment and Safe Links) policies for user(s) specified in the CSV file or EmailAddress parameter.
OnlyMDOPolicies Checks only MDO (Safe Attachment and Safe Links) policies for user(s) specified in the CSV file or EmailAddress parameter.
ShowDetailedPolicies In addition to the policy applied, show any policy details that are set to True, On, or not blank.
SkipConnectionCheck Skips connection check for Graph and Exchange Online.
SkipVersionCheck Skips the version check of the script.
ScriptUpdateOnly Just updates script version to latest one.