ASD Mailflow settings check script

directorcia Microsoft 365 November 12, 2025November 12, 2025 1 Minute

I’ve taken the Exchange Online Mail Flow settings recommendations from the ASD Blueprint for Secure Cloud and created an online JSON settings file here:

https://github.com/directorcia/bp/blob/main/ASD/Exchange-Online/Settings/mailflow.json

I’ve then created a PowerShell script here:

https://github.com/directorcia/Office365/blob/master/asd-mailflow-get.ps1

with documentation here:

https://github.com/directorcia/Office365/wiki/ASD-Mail-Flow-Configuration-Check

that reads the online JSON file (or uses a local version if you want to use that) and compares the recommended ASD settings to those in your own Exchange Online environment. Note, the script makes NO CHANGES to your environment, it simply reads the current settings.

It then produces the console output you see above and a HTML report like this:

You can refer to this page I also created:

https://github.com/directorcia/bp/wiki/Exchange-Online-Mail-Flow-Security-Controls

as to why these settings are important to the security of your M365 environment.

Look out for more scripts like this coming soon. I welcome any suggestion about improving this.

Published by directorcia

View all posts by directorcia

Published November 12, 2025November 12, 2025

10 thoughts on “ASD Mailflow settings check script”

specialist85 says:

November 12, 2025 at 10:54 am

Any idea why this doesn’t match what’s in the Exchange Admin Centre?

LikeLike

Reply
1. directorcia says:
  
  November 12, 2025 at 12:02 pm
  
  I would have more faith in what PowerShell says than the GUI. if there is a mismatch you are going to have to track down why. Find one setting that is mismatched and use PowerShell to display that and compare to GUI. if they different you probably going to have to speak with MS. What settings are different so I can check it here??
  
  LikeLike
  
  Reply
  1. specialist85 says:
    
    November 12, 2025 at 1:44 pm
    
    I’ll reply here instead of via email.
    
    I think the script is checking the OrganizationConfig but some of the parameters are set in TransportConfig
    
    LikeLike
  2. directorcia says:
    
    November 12, 2025 at 4:03 pm
    
    Can you provide specific examples to check.
    
    LikeLike
2. directorcia says:
  
  November 12, 2025 at 10:28 pm
  
  Try the script now. Seems like a non checked field was being treated incorrectly. Let me know if there are still issues.
  
  LikeLike
  
  Reply
  1. specialist85 says:
    
    November 13, 2025 at 8:57 am
    
    The example I was going to give yesterday was related to the Reply All Storm which now looks like it’s working!
    
    Looks like there is still some errors with the parameters and syntax for some of the other checks though. I think PlusAddressingEnabled should be DisablePlusAddressInRecipients and SendFromAliasesEnabled should be SendFromAliasEnabled (no es after Alias)?
    
    LikeLike
  2. directorcia says:
    
    November 13, 2025 at 9:05 am
    
    Fixed
    
    LikeLike
specialist85 says:

November 13, 2025 at 9:14 am

Thanks!

LikeLike

Reply
Pingback: Microsoft Roadmap, messagecenter and blogs updates from 13-11-2025 - KbWorks - SharePoint and Teams Specialist
Pingback: Need to Know podcast–Episode 355 – CIAOPS