Microsoft Office 365 Email Security
Copy link

The Microsoft Office 365 email security plugin adds utilities to help administrators manage their Office 365 instances. This plugin allows administrators to take remediation actions across their organization.

Key Features
Copy link

  • Block senders by domain or email address
  • Search for and optionally delete email across an organization
  • Get email trace information

Before you begin
Copy link

You must have an administrative account with multifactor authentication disabled and Powershell connectivity to the Office 365 cloud.

To correctly configure this plugin, you must assign a Microsoft 365 user to specific role groups. Read more about these role groups at: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center?view=o365-worldwide

Permissions
Copy link

You will need to set up these permissions and roles in either the Microsoft Defender portal  at security.microsoft.com  (formerly the Security & Compliance Center) or in the Microsoft Purview portal :

  • eDiscovery Manager
  • Search
  • Purge
ℹ️

Using Microsoft Purview portal for compliance?

The instructions in this article describe the steps to take in the Microsoft Defender portal, however some Microsoft licenses require you to set permissions in the Microsoft Purview portal instead. For more information about performing the steps in Microsoft Purview, review the documentation about permissions at https://learn.microsoft.com/en-gb/purview/purview-permissions and the documentation about roles at https://learn.microsoft.com/en-gb/defender-office-365/scc-permissions?toc=%2Fpurview%2Ftoc.json&bc=%2Fpurview%2Fbreadcrumb%2Ftoc.json.

Roles required for action to work
Copy link

  • Block Sender Transport Rule action
  • Email Compliance Search action:
    • Mailbox Search role
  • Email Compliance Purge action:
    • Mailbox Import Export role
  • Email Compliance Search and Purge action:
    • Mailbox Import Export role
    • Mailbox Search role
    • In Microsoft Purview portal: Search and Purge role
  • Message Trace action:
    • Message Tracking role

Set up a new user for Office 365
Copy link

You will need to create a new user or modify an existing user account in your Office 365 instance and assign the appropriate permissions. To create a new user account, you need to be logged in to a Microsoft 365 administrator account.

To set up a new user:

  1. Log in to the Microsoft 365 admin center at admin.cloud.microsoft .

  2. From the home screen, click the Add user quick link.

  3. Configure these required fields:

    • Display Name: We recommend naming this user something that will instantly tell you what it was created for. Consider something like “Rapid7 Automation (InsightConnect)” for the display name.
    • Username: You will use this username to configure a connection for the Microsoft Office 365 Email Security plugin in Automation (InsightConnect). Consider using rapid7office365emailsecurity for easy reference. Microsoft Office will automatically append the username with your organization’s email domain.
    • Password: You will use this password to configure connections to the Microsoft Office 365 Email Security plugin in Automation (InsightConnect) or for your remote host.
    • Roles: Select Customized admin for now. You’ll configure any remaining permissions in the next section.
    • Product Licenses: Provide the service account with one of your Office 365 licenses.

  4. Click Next to step through the wizard and save the new user.

Set up role groups for the Microsoft Office 365 Email Security user account
Copy link

The user account you created in the Microsoft 365 admin center for use with the Automation (InsightConnect) Microsoft Office 365 Email Security plugin needs to be added as a member to specific role groups.

To assign the user the correct permissions in the Microsoft Defender portal:

  1. From the left navigation, go to System > Permissions > Email & collaboration roles > Roles.
  2. Check the list of permissions role groups for eDiscovery Manager. These are default role groups set up by Microsoft and cannot be edited. However, you can make a copy of a role group and customize it.
  3. Open the eDiscovery Manager role group, then click Copy role group and enter a name for the copied group. Use a name that specifies that this group is used for Automation (InsightConnect)‘s Microsoft Office 365 Email Security plugin.
  4. In the newly copied role group, click Edit role group and go to Choose roles.
  5. Find the role called Search and Purge, select that role, and click Select.
  6. From the Choose users section, search and select the users that you want to assign to this role group, and click Select.
  7. Review your settings and click Save.

Mass Delete with PowerShell plugin in your Office 365 instance
Copy link

You can use the PowerShell plugin and a script written by the Automation (InsightConnect) team to mass-delete items in your Office 365 instance. For more information about this feature, refer to this document: Mass Delete With Powershell