Microsoft Office 365 Email Security
Microsoft Office 365 Email Security connection guide:
The Microsoft Office 365 email security plugin adds utilities to help administrators manage their Office 365 instances. This plugin will allow administrators to take remediation actions across their organization.
Key Features:
- Block senders by domain or email address
- Search for and optionally delete email across an organization
- Get email trace information
There are few things you need to do before you get started:
You must have an administrative account with multifactor authentication disabled and Powershell connectivity to the Office 365 cloud.
Permission:
You will need to setup following permissions/roles in compliance center:
- eDiscovery Manager
- Search
- Purge
Roles required for action to work:
- Block Sender Transport Rule action
- Email Compliance Search action:
- Mailbox Search role
- Email Compliance Purge action:
- Mailbox Import Export role
- Email Compliance Search and Purge action:
- Mailbox Import Export role
- Mailbox Search role
- Message Trace action:
- Message Tracking role
Set Up a New User for Office 365:
You will need to create a new user or use an existing user account in your Office 365 instance that has the appropriate permissions. To create a new user account, you need to be logged in to an Office 365 administrator account.
To set up a new user in Office 365:
- Log in to Office 365 as an administrator at https://office.com.
- Go to the admin center. In the Apps section that appears after login, click on the Admin quick link. If this button is unavailable upon login, you can click on the nine-tiled App Launcher icon in the top-left corner, then click on the Admin button.
- In the Microsoft 365 admin center, click on the users option or the person icon in the left-hand navigation, then click on Active users.
- Click on the + Add a user option at the top of the Active users page
- Configure the following required fields:
- Display Name: We recommend naming this user something that will instantly tell you what it was created for. Consider something like “Rapid7 InsightConnect” for the display name.
- Username: You will use this username to configure a connection for the Microsoft Office 365 Email Security plugin in InsightConnect. Consider using
rapid7office365emailsecurityfor easy reference. Microsoft Office will automatically append the username with your organization’s email domain. - Password: You will use this password to configure connections to Microsoft Office 365 Email Security plugin in InsightConnect or for your remote host.
- Roles: Select Customized admin for now. You’ll configure any remaining permissions in the next section.
- Product Licenses: Provide the service account with one of your Office 365 licenses.
- Click Add to create the new user.
Set Up Role Groups for the Microsoft Office 365 Email Security User Account:
The user account you created in Office 365 for use with the InsightConnect Microsoft Office 365 Email Security plugin needs certain permissions. The user account needs to be a member of the following three Office 365 role groups.
Learn more obout these groups here: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center?view=o365-worldwide
To assign this user the correct permissions in the Microsoft 365 admin center:
- Click on the down arrow on the Admin centers option in the left navigation panel, then click on Security.
- In the Office 365 Security & Compliance admin center, click on the Permissions option in the left navigation panel.
- Check the list of permissions role groups for eDiscovery Manager. These are default role groups set up by Microsoft. This cannot be edited. Then add members to each role group following the instructions below.
- To edit this role group, go into eDiscovery Manager, then copy role group and name it so you remember that this group is used for InsightConnect's Microsoft Office 365 Email Security Plugin.
- Click edit and select ADD from following options choose and save Search and Purge. Then click Done.
- Go into Choose Members section below and select ADD, search for members that you would like to assign to this role group, and click Done.
- Review your settings and click Create Role Group.
Office 365 URL:
Office 365 URL is the parameter that will let you create a remote session with Exchange Online using PowerShell in your Office 365 instance. The Office 365 URL can be found in the Microsoft documentation link shown in the section below.
Be aware that the Office 365 URL that you are using depends on what type of tenant you have.
The default URL value in our Microsoft Office 365 Email Security plugin is: https://ps.compliance.protection.outlook.com/powershell-liveid/ and it should be used if you are an EOP Standalone Customer.
- For Exchange Online tenant please use this
URL:https://outlook.office365.com/powershell-liveid/ - For Office 365 operated by 21Vianet, use the
URL:https://partner.outlook.cn/PowerShell - For Office 365 Germany, use the
URL:https://outlook.office.de/powershell-liveid/ - For Microsoft 365 GCC High, use the
URL:https://outlook.office365.us/powershell-liveid/ - For Microsoft 365 DoD, use the
URL:https://webmail.apps.mil/powershell-liveid
Note that the account you use to connect to Exchange Online must be enabled for remote PowerShell. It also must have multifactor authentication disabled. If you don't have such an account please consider creating a new account with multifactor authentication disabled.
For more information about Office 365 URL and Exchange Online with PowerShell please refer to those documents:
- Read more about other usage of Office 365 URL
- Read more about Standalone Exchange Online Protection
- Read how to connect to Security & Compliance Center PowerShell
Mass Delete with PowerShell plugin in your Office 365 instance:
You can use the PowerShell plugin and a script written by the InsightConnect team to mass-delete items in your Office 365 instance. For more information about this feature please reffer to this document: Mass Delete With Powershell