Exchange Online PowerShell configuration rules and policy relationship

Microsoft 365 4 Minutes

bp1

In the context of configuring anti-spam settings in Exchange (particularly Exchange Online, which uses Exchange Online Protection or EOP), “rules” and “policies” work together to define how email is processed and protected. PowerShell is the primary tool for granular control over these settings.

Here’s a breakdown of their relationship:

1. Policies (Anti-Spam Policies):

  • What they are: Policies are the core configuration containers that define the overall anti-spam settings. They specify what actions to take when a message is identified with a certain spam confidence level (SCL) or other anti-spam verdict (e.g., spam, high-confidence spam, phishing, bulk email).

  • Key settings within policies:

    • Spam Actions: What to do with messages identified as spam (e.g., move to Junk Email folder, quarantine, add X-header, redirect).

    • High-Confidence Spam Actions: Similar to spam actions, but for messages with a very high probability of being spam.

    • Phishing Actions: Actions for phishing attempts.

    • Bulk Email Thresholds (BCL – Bulk Complaint Level): How to treat bulk mail (e.g., newsletters, marketing emails) that isn’t necessarily spam but users might not want.

    • Allowed/Blocked Senders and Domains: Lists of specific senders or domains that should always be allowed or blocked, bypassing some or all spam filtering.

    • Advanced Spam Filter (ASF) settings: More granular options like increasing spam score for specific characteristics (e.g., certain languages, countries, or specific URLs/patterns).

  • Default Policies: Exchange/EOP comes with built-in default policies (e.g., “Default,” “Standard Preset Security,” “Strict Preset Security”) that provide a baseline level of protection.

  • Custom Policies: You can create custom anti-spam policies to apply different settings to specific users, groups, or domains within your organization.

  • PowerShell Cmdlets:

    • Get-HostedContentFilterPolicy: Views existing anti-spam policies.

    • New-HostedContentFilterPolicy: Creates a new custom anti-spam policy.

    • Set-HostedContentFilterPolicy: Modifies an existing anti-spam policy.

    • Get-HostedOutboundSpamFilterPolicy, Set-HostedOutboundSpamFilterPolicy, New-HostedOutboundSpamFilterPolicy: Manage outbound spam policies.

2. Rules (Anti-Spam Rules / Mail Flow Rules / Transport Rules):

  • What they are: Rules are used to apply policies to specific recipients or groups of recipients, or to implement more dynamic and conditional anti-spam actions. While “anti-spam rules” are directly linked to anti-spam policies, “mail flow rules” (also known as “transport rules”) offer a broader range of conditions and actions, including those that can influence spam filtering.

  • Relationship to Policies:

    • Anti-Spam Rules (specifically): An anti-spam rule (e.g., created with New-HostedContentFilterRule) links an anti-spam policy to specific conditions (e.g., applying the policy to members of a certain distribution group). A single anti-spam policy can be associated with multiple rules, but a rule can only be associated with one policy. This allows you to apply different policies to different sets of users.

    • Mail Flow Rules (broader impact): Mail flow rules can also be used to influence anti-spam behavior, even if they aren’t strictly “anti-spam rules.” For example:

      • Bypassing spam filtering: You can create a mail flow rule to set the Spam Confidence Level (SCL) of a message to -1 (Bypass spam filtering) if it meets certain conditions (e.g., from a trusted internal system, or specific external partners).

      • Increasing SCL: You can increase the SCL of messages that contain specific keywords or come from particular sources, forcing them to be treated more aggressively by anti-spam policies.

      • Redirecting/Quarantining: Mail flow rules can directly redirect suspicious messages to a quarantine mailbox or add specific headers for further processing, often based on content or sender characteristics that might indicate spam or phishing.

  • PowerShell Cmdlets:

    • Get-HostedContentFilterRule: Views existing anti-spam rules.

    • New-HostedContentFilterRule: Creates a new anti-spam rule and links it to an anti-spam policy.

    • Set-HostedContentFilterRule: Modifies an existing anti-spam rule.

    • Get-TransportRule, New-TransportRule, Set-TransportRule: Manage general mail flow (transport) rules, which can include anti-spam related actions.

How they work together (with PowerShell in mind):

  1. Define the “What”: You use New-HostedContentFilterPolicy or Set-HostedContentFilterPolicy to define the core anti-spam behavior (e.g., “quarantine spam, move high-confidence spam to junk, block these specific senders”).

  2. Define the “Who/When”: You then use New-HostedContentFilterRule to create a rule that applies that specific policy to certain users or under specific conditions. You can prioritize these rules using the -Priority parameter on the Set-HostedContentFilterRule cmdlet, where a lower number means higher priority.

  3. Advanced Scenarios: For more nuanced control, or to handle edge cases not covered directly by anti-spam policies, you leverage New-TransportRule or Set-TransportRule. These allow you to:

    • Exempt certain senders/domains from all spam filtering (SCL -1).

    • Apply custom actions based on message headers (e.g., from a third-party spam filter).

    • Implement more sophisticated content-based filtering using keywords or regular expressions before the message hits the main anti-spam policies.

Example Scenario and PowerShell:

Let’s say you want to:

  • Apply a strict anti-spam policy to your “Executives” group.

  • Allow a specific partner domain to bypass most spam filtering.

Using PowerShell, you might:

  1. Create a custom anti-spam policy for executives:

    PowerShell

    New-HostedContentFilterPolicy -Name "ExecutiveSpamPolicy" -HighConfidenceSpamAction Quarantine -SpamAction Quarantine -BulkThreshold 4 -MarkAsSpamBulkMail $true

  2. Create an anti-spam rule to apply this policy to the “Executives” group:

    PowerShell

    New-HostedContentFilterRule -Name "ApplyExecutiveSpamPolicy" -HostedContentFilterPolicy "ExecutiveSpamPolicy" -SentToMemberOf "ExecutivesGroup" -Priority 1

  3. Create a mail flow rule to bypass spam filtering for the partner domain:

    PowerShell

    New-TransportRule -Name "BypassSpamForPartner" -FromScope OutsideOrganization -FromDomainIs "partnerdomain.com" -SetSCL -1 -Priority 0 # Higher priority to ensure it's processed first

In summary:

  • Policies define the actions for different spam verdicts and general anti-spam behavior.

  • Rules (both anti-spam rules and broader mail flow/transport rules) define the conditions under which those policies or other anti-spam actions are applied.

PowerShell gives administrators the power to create, modify, and manage these policies and rules with a high degree of precision and automation, which is crucial for effective anti-spam protection in Exchange environments.

Unknown's avatar

Published by directorcia

Published

Leave a comment