Microsoft Defender for Office 365 (or Office 365 Advanced Threat Protection if you’re old fashioned) is an amazing toolset for securing your Office 365 environment with some extremely powerful features. Previously, I have written about the built in Preset Security Policies that Microsoft have recently made available. These policies help to provide a baseline for your Defender for Office 365 configuration. While not every setting will meet requirements for every environment, they are a great start towards a best practice configuration.
To make assessing and remediating your policies even easier, Microsoft have made available the Microsoft Defender for Office 365 Configuration Analyzer which is an evolution of the Office 365 Recommended Configuration Analyzer tool. The Configuration Analyzer takes these baseline policies and essentially runs a gap analysis for your existing policies. The analyzer then allows for simple, one click remediation of policies to bring them back to baseline and also monitors and logs changes to policies to capture configuration drift.
Using the Configuration Analyzer
To use the Configuration Analyzer, we simply navigate to the Policies section of the Office 365 Security & Compliance Portal and choose the Configuration Analyzer option.
There are two sections to the Analyzer, the ‘Settings and Recommendations’ page provides a list of all current settings which skew from the baseline best practices. Not all of these settings will suit your environment so it’s important to consider the specific needs of your organization before accepting any baselines.
To implement the recommended setting, we simply click “Adopt” on the right column to change our current value, very easy!
The other section of the Configuration Analyzer presents us with “Configuration Drift Analysis and History”. This page gives us the drift from baseline in our tenant along with details of when the option was changed and even if the change increased or decreased the security posture of the environment. We can see who made the change, to what policy it was made and when. Great for enforcing desired state.
The Configuration Analyzer doesn’t bring a whole lot that wasn’t available in the ORCA tool previously but having it integrated and showing drift and history is a fantastic addition. Keep in mind when implementing the specific needs of your organization, not all default policies will apply to all organizations.