0
(0)

This article is Step 1 of 3 in the process of setting up the evaluation environment for Microsoft Defender for Office 365. For more information about this process, see the overview article.

Before enabling Defender for Office 365, be sure you understand the architecture and can meet the requirements. This article describes the architecture, key concepts, and the prerequisites that your Exchange Online environment must meet.

Understand the architecture

The following diagram illustrates baseline architecture for Microsoft Defender for Office, which can include a third-party SMTP gateway or on-premises integration. Hybrid coexistence scenarios (i.e. production mailboxes are both on-premise and online) require more complex configurations and are not covered in this article or evaluation guidance.

Architecture for Microsoft Defender for Office 365.

The following table describes this illustration.

UNDERSTAND THE ARCHITECTURE
Call-out Description
1 The host server for the external sender typically performs a public DNS lookup for an MX record, which provides the target server to relay the message. This referral can either be Exchange Online (EXO) directly or an SMTP gateway that has been configured to relay against EXO.
2 Exchange Online Protection negotiates and validates the inbound connection and inspects the message headers and content to determine what additional policies, tagging, or processing is required.
3 Exchange Online integrates with Microsoft Defender for Office 365 to offer more advanced threat protection, mitigation, and remediation.
4 A message that is not malicious, blocked, or quarantined is processed and delivered to the recipient in EXO where user preferences related to junk mail, mailbox rules, or other settings are evaluated and triggered.
5 Integration with on-premises Active Directory can be enabled using Azure AD Connect to synchronize and provision mail-enabled objects and accounts to Azure Active Directory and ultimately Exchange Online.
6 When integrating an on-premises environment, it is strongly encouraged to use an Exchange server for supported management and administration of mail-related attributes, settings, and configurations
7 Microsoft Defender for Office 365 shares signals to Microsoft 365 Defender for extended detection and response (XDR).

On-premises integration is common but optional. If your environment is cloud-only, this guidance will also work for you.

Understand key concepts

The following table identified key concepts that are important to understand when evaluating, configuring, and deploying MDO.

UNDERSTAND KEY CONCEPTS
Concept Description More information
Exchange Online Protection Exchange Online Protection (EOP) is the cloud-based filtering service that helps protect your organization against spam and malware emails. EOP is included in all Microsoft 365 licenses which include Exchange Online. Exchange Online Protection overview
Anti-malware protection Organizations with mailboxes in EXO are automatically protected against malware. Anti-malware protection in EOP
Anti-spam protection Organizations with mailboxes in EXO are automatically protected against junk mail and spam policies. Anti-spam protection in EOP
Anti-phishing protection MDO offers more advanced anti-phishing protection related to spear phishing, whaling, ransomware, and other malicious activities. Additional anti-phishing protection in Microsoft Defender for Office 365
Anti-spoofing protection EOP includes features to help protect your organization from spoofed (forged) senders. Anti-spoofing protection in EOP
Safe attachments Safe Attachments provides an additional layer of protection by using a virtual environment to check and “detonate” attachments in email messages before they are delivered. Safe Attachments in Microsoft Defender for Office 365
Safe attachments for SharePoint, OneDrive, and Microsoft Teams In addition, Safe Attachments for SharePoint, OneDrive, and Microsoft Teams offers an additional layer of protection for files that have been uploaded to cloud storage repositories. Safe Attachments for SharePoint, OneDrive, and Microsoft Teams
Safe Links Safe Links is a feature that provides URL scanning and rewriting within inbound email messages and offers verification of those links before they are delivered or clicked. Safe Links in Microsoft Defender for Office 365

For more detailed information about the capabilities included with Microsoft Defender for Office, see Microsoft Defender for Office 365 service description.

Review architecture requirements

A successful MDO evaluation or production pilot assumes the following pre-requisites:

  • All your recipient mailboxes are currently in Exchange Online.
  • Your public MX record resolves directly to EOP or a third-party SMTP gateway that then relays inbound external email directly to EOP.
  • Your primary email domain is configured as authoritative in Exchange Online.
  • You successfully deployed and configured Directory-Based Edge Blocking (DBEB) as appropriate. For more information, see Use Directory-Based Edge Blocking to reject messages sent to invalid recipients.

 Important

If these requirements are not applicable or you are still in a hybrid coexistence scenario, then a Microsoft Defender for Office 365 evaluation can require more complex or advanced configurations which are not fully covered in this guidance.

SIEM integration

You can integrate Microsoft Defender for Office 365 with Microsoft Sentinel to more comprehensively analyze security events across your organization and build playbooks for effective and immediate response. For more information, see Connect alerts from Microsoft Defender for Office 365.

Microsoft Defender for Office 365 can also be integrated into other Security Information and Event Management (SIEM) solutions using the Office 365 Activity Management API.

Source : Official Microsoft Brand
Editor by : BEST Antivirus KBS Team

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

(Visited 7 times, 1 visits today)