Exchange policies

Description

This policy identifies Microsoft 365 distribution groups that currently have no assigned owners. 

It displays the group's name and confirms that the total number of owners is zero for each listed group. Having an assigned owner is crucial for proper oversight and management of distribution groups within an organization. 

This tool allows administrators to quickly pinpoint any ownerless groups and take necessary actions to assign appropriate ownership, ensuring proper governance over these collaboration spaces.

Impact on your tenant

Without an Owner, a Distribution Group may contain legacy members, and consequently sensitive information may be getting shared with users who should not be privy to the information.

Remediation action

Send a report to specified recipients (one or more)

What you can configure

• Establish the conditions under which the report is sent
• Choose the file format
• Compose the email body
• Type the recipient(s) of the report (custom address)
• Schedule the recurrence of the remediation action

Description

This policy is designed to help you find shared mailboxes that haven't been active recently. 

It shows the mailbox's display name, the number of emails received and sent in the last 30 days, and the principal name associated with the mailbox. 

It's a useful tool for identifying and managing shared mailboxes that may no longer be in use.

Impact on your tenant

It is important to regularly monitor and manage shared mailboxes and take appropriate remediation actions because it can reduce collaboration, lead to missed messages or tasks, cause unnecessary email traffic, and result in performance issues or security risks.

Remediation action

1. Send attestation to a specified recipient (optional)
2. Execute the action “Remove mailbox”

What you can configure

• Change the recipient of the attestation to either the manager, a custom address, or choose not to send the attestation
• Insert an additional message
• Define the attestation timeout days
• Enable/disable the email alert if the workflow fails
• Schedule the recurrence of the remediation action

Description

This policy is designed to identify mailboxes that have exceeded their send/receive quota. 

It shows the user principal name, the set quota in megabytes (MB), and the percentage of the quota used. 

This tool assists in monitoring mailbox usage and ensuring that users remain within the operational limits of their email accounts.

Impact on your tenant

Your users will not be able to receive/send emails once the maximum quota is reached.

Remediation action

1. Enable the Mailbox archive, by forcing the “Has archive” set to “True” for the mailbox
2. Send an alert to the mailbox owner to inform them of the issue and provide guidance on how to manage the mailbox properly

What you can configure

• Enable/disable the email alert if the workflow fails
• Schedule the recurrence of the remediation action

Description

This policy identifies mailboxes that have surpassed their warning quota limit. 

It displays the display name of the mailbox, whether it has an archive, the percentage of the warning quota used, the warning quota in megabytes (MB), and the user principal name. 

This tool is essential for managing mailbox sizes and preventing potential disruptions in email service due to quota exceedances.

Impact on your tenant

Mailboxes in Microsoft 365 have a storage limit, and if a mailbox exceeds this limit, it can result in issues such as emails not being delivered, emails being bounced back to the sender, and users being unable to send or receive emails. This can result in a loss of productivity and can negatively impact customer satisfaction.

Remediation action

1. Enable the Mailbox archive, by forcing the “Has archive” set to “True” for the mailbox
2. Send an alert to the mailbox owner to inform them of the issue and provide guidance on how to manage the mailbox properly

What you can configure

• Enable/disable the email alert if the workflow fails
• Schedule the recurrence of the remediation action

Description

This policy provides a list of mailboxes where auditing is currently turned off. 

It shows the display name of each mailbox, confirms that audit is not enabled, and includes the user principal name. 

It also has a column for the manager, which can be useful for follow-up. This tool is critical for ensuring compliance and security within your organization's email system.

Impact on your tenant

Auditing is a crucial security feature that enables the tracking and monitoring of events and actions in the Microsoft 365 environment. By enabling auditing for mailboxes, the Tenant admin can monitor for security incidents such as unauthorized access, modification, and deletion of emails. If auditing is disabled, these events may go unnoticed, putting the organization at risk of data breaches, compliance violations, and other security incidents.

Remediation action

1. Send attestation to a specified recipient (optional)
2. Execute the action “Enable Mailbox audit”

What you can configure

• Change the recipient of the attestation to either the manager, or a custom address, or choose not to send the attestation
• Insert an additional message
• Define the attestation timeout days
• Define the number of days after which the links expire
• Enable/disable the email alert if the workflow fails
• Schedule the recurrence of the remediation action

Description

This policy is set up to identify mailboxes that have external forwarding enabled. 

It lists the display name, UPN, and verifies that external forwarding is active. 

It also shows the forwarding destination, both as an address and SMTP, and includes the forwarding rules applied, as well as the account type. 

This tool is useful for monitoring mail flow and ensuring that data security policies are being followed.

Impact on your tenant

Mailboxes with external forwarding can cause security risk that leads to data breaches and unauthorized access. Compliance regulations may also require monitoring of external forwarding. This violation can also result in productivity loss, increased costs, and data leakage.

Remediation action

Send attestation to a specified recipient (optional)

What you can configure

• Establish the conditions under which the report is sent
• Choose the file format
• Compose the email body
• Type the recipient(s) of the report (custom address)
• Schedule the recurrence of the remediation action

Description

This report gathers shared mailboxes whose warning quota is over 80%.

Impact on your tenant

When shared mailboxes exceed 80% of their warning quota, it can lead to potential security risks and operational inefficiencies. Full or nearly full mailboxes may become targets for attackers looking to exploit storage limitations to trigger denial of service conditions. Best practices suggest actively monitoring and managing mailbox sizes to prevent disruption, ensuring that critical communications and security updates are not missed due to storage issues.

Remediation action

Schedule and send the report to a custom recipient.

What you can configure

• Type the recipient of the email (custom address)
• Send email when the report is empty, not empty, or always
• Send as an Excel, CSV, or PDF file
• Schedule the recurrence of the remediation action

Description

This report gathers all mailboxes of type shared that do not have the audit feature enabled.

Impact on your tenant

Having shared mailboxes without the audit feature enabled poses significant security risks and deviates from best practices. Without auditing, tracking unauthorized access or suspicious activities becomes difficult, increasing the risk of data breaches. It also hinders compliance with data protection regulations, as there's no record of who accessed what information and when.

Remediation action

Enable Mailbox Audit.

What you can configure

• Enable/disable the email alert if the workflow fails
• Schedule the recurrence of the remediation action

Description

This policy provides a list of shared mailboxes where the credentials are currently active and not blocked.

It displays the display name of each mailbox, confirms that the block credential status is false, and identifies the mailbox as a shared type. It also includes the user principal name associated with each mailbox. 

This tool is useful for ensuring that shared mailboxes are accessible to authorized users and for monitoring security settings.

Impact on your tenant

In the absence of a delegate, the shared mailbox may not be properly managed, and important emails and information may be missed or not acted upon in a timely manner. Additionally, inappropriate access to shared mailboxes can lead to data breaches and security risks, which can have significant negative impacts on the organization.

Remediation action

Execute the action “Enable sign-in status”, that blocks sign-in for the account that's associated with the shared mailbox ("Block sign-in" status)

What you can configure

• Enable/disable the email alert if the workflow fails
• Schedule the recurrence of the remediation action

Description

This policy is designed to identify shared mailboxes that have not been delegated to any users. 

It lists the UPN and confirms the recipient type as a shared mailbox. It also shows that the number of mailbox delegates is zero, indicating no delegation. 

This tool is useful for administrators to review and manage delegate access to shared mailboxes within an organization.

Impact on your tenant

In the absence of a delegate, the shared mailbox may not be properly managed, and important emails and information may be missed or not acted upon in a timely manner. Additionally, inappropriate access to shared mailboxes can lead to data breaches and security risks, which can have significant negative impacts on the organization.

Remediation action

Send an alert to a specified recipient to inform them of the issue and provide guidance on how to manage the mailbox properly

What you can configure

• Type the recipient of the email (custom address)
• Enable/disable the email alert if the workflow fails
• Schedule the recurrence of the remediation action

Description

This policy focuses on unlicensed shared mailboxes that are nearing their storage capacity limit of 50GB. 

It lists the display name, mailbox size in megabytes (indicating those between 47,000 MB and 50,000 MB), the user principal name, and the recipient type details to confirm the mailbox is shared. 

It also includes a column for the manager, which may be useful for administrative follow-up. 

This tool is essential for managing mailbox storage and preventing service interruptions due to exceeded storage limits.

Impact on your tenant

Large mailboxes can impact performance, cause delays, and consume significant storage space leading to storage issues and increased costs.

Remediation action

Send an email to a specific recipient (Manager or Custom address) giving proper advice to reduce mailbox size

What you can configure

• Change the recipient of the email to either the manager or a custom address
• Enable/disable the email alert if the workflow fails
• Schedule the recurrence of the remediation action

Description

This report compiles all user mailboxes that have been placed on a litigation hold.

Impact on your tenant

Enabling litigation hold on user mailboxes ensures that email data cannot be permanently deleted, crucial for legal compliance and investigations. This practice enhances security by preserving evidence, but it requires careful management of storage and privacy implications. Adhering to best practices involves regular audits, clear data retention policies, and ensuring only authorized access to held data.

Remediation action

Disable Litigation hold.

What you can configure

• Enable/disable the email alert if the workflow fails
• Schedule the recurrence of the remediation action

Description

This report gathers user mailboxes whose warning quota is over 80%.

Impact on your tenant

User mailboxes exceeding 80% of their warning quota indicate nearing full capacity, which can have security and operational implications. Overfilled mailboxes may prevent users from receiving important security updates or alerts, increasing vulnerability to threats. Best practices recommend monitoring and managing storage quotas to ensure mail systems function efficiently and securely, avoiding data loss or compromised communication channels.

Remediation action

Schedule and send the report to a custom recipient.

What you can configure

• Type the recipient of the email (custom address)
• Send email when the report is empty, not empty, or always
• Send as an Excel, CSV, or PDF file
• Schedule the recurrence of the remediation action

Description

This report gathers user mailboxes that do not show activity over the last 90 days.

Impact on your tenant

Inactive user mailboxes over the past 90 days can pose security risks, such as being targets for unauthorized access or data breaches, since they are often overlooked in security monitoring. Best practices suggest regularly reviewing and disabling or deleting inactive accounts to reduce potential attack vectors. Additionally, implementing policies for automatic deactivation can further enhance security by minimizing the risk of outdated accounts being exploited.

Remediation action

Disable the user mailbox.

What you can configure

• Enable/disable the email alert if the workflow fails
• Schedule the recurrence of the remediation action

Description

This report gathers user mailboxes that have no archive.

Impact on your tenant

User mailboxes without an archive can pose security risks and management challenges. Without archives, organizations may struggle to recover important emails during data loss incidents or comply with data retention laws, risking legal and financial repercussions. Additionally, the absence of archiving can lead to cluttered mailboxes, potentially slowing down email systems and making it harder to detect malicious emails, thereby increasing vulnerability to cyber-attacks.

Remediation action

Manage archive.

What you can configure

• Enable/disable the email alert if the workflow fails
• Schedule the recurrence of the remediation action

Description

This policy is designed to identify users whose mailboxes are not placed under a litigation hold.

It lists the display name, user principal name, and recipient type details, confirming that these are user mailboxes.

It also shows the litigation hold status as false and includes both the manager's user principal name and display name.

This tool is essential for managing compliance and ensuring that data is preserved for legal reasons when necessary.

Impact on your tenant

Failure to preserve email can expose an organization to legal and financial risks such as scrutiny of the organization's records retention and discovery processes, adverse legal judgments, sanctions, or fines.

Remediation action

1. Execute the action “Enable Litigation Hold”
2. Send an alert to the User Principal Name

What you can configure

• Enable/disable the email alert if the workflow fails
• Schedule the recurrence of the remediation action