Disabling Office Macros via ASR to Meet Essential Eight Requirements

Using M365 Business Premium

The Essential Eight Mitigation Strategy #3 – Configure Microsoft Office Macro Settings requires organizations to disable Office macros by default for users without a demonstrated business need.¹In cloud-only environments using Microsoft 365 Business Premium and Microsoft Intune, this can be achieved through multiple complementary approaches:

Configuration Profiles (Settings Catalog or Imported Administrative Templates)

Attack Surface Reduction (ASR) Rules

Microsoft Defender for Endpoint capabilities (included in Business Premium)

However, there is an important limitation: Microsoft 365 Business Premium includes Microsoft 365 Apps for Business, which has limited support for the Office Cloud Policy Service—only privacy-related policies are supported.²For full macro control policies, you must use Configuration Profiles in Intune instead.³

Understanding Essential Eight Macro Security Requirements

Essential Eight Maturity Level Requirements

The Australian Cyber Security Centre (ACSC) Essential Eight framework defines specific controls for Microsoft Office macro security:⁴

Key ISM Controls (March 2025)

The Essential Eight implementation addresses multiple Information Security Manual (ISM) controls:⁵

ISM Control	Requirement	Implementation Method
ISM-1671	Macros disabled for users without business requirement	Configure “Disable VBA for Office applications” policy
ISM-1488	Block macros from internet sources	Enable “Block macros from running in Office files from the internet”
ISM-1675	Disable Trust Bar for unsigned macros	Configure “Disable Trust Bar Notification for unsigned applications”
ISM-1672	Enable macro antivirus scanning	Set “Macro Runtime Scan Scope” to “Enable for all documents”
ISM-1673	Block Win32 API calls from macros	Deploy ASR rule 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
ISM-1489	Prevent users from changing macro settings	Deploy policies via Intune (users cannot modify)

Microsoft 365 Business Premium Capabilities for Macro Control

What’s Included in Business Premium

Microsoft 365 Business Premium includes:

Microsoft Intune for device management

Microsoft Defender for Business (includes Attack Surface Reduction)

Microsoft 365 Apps for Business (desktop applications)

Important Licensing Limitations

⚠️ Critical Consideration: The Office Cloud Policy Service (config.office.com) has limited functionality with Microsoft 365 Apps for Business:

Only privacy control policies are supported⁶

Full macro security policies are NOT supported via Office Cloud Policy Service for Business licenses⁷

You must use Intune Configuration Profiles (Settings Catalog or Administrative Templates) instead

For full Office Cloud Policy Service support, you would need Microsoft 365 Apps for Enterprise licenses.⁸

Implementation Approach: Configuration Profiles in Intune

Method 1: Import Pre-Built ACSC Hardening Policy (Recommended)

Microsoft provides pre-built configuration profiles aligned with ACSC guidance. This is the fastest and most reliable method for Essential Eight compliance.

Step-by-Step: Import ACSC Office Hardening Policy

Detailed Steps:⁹

Create Target User Group

Create an Azure AD security group for “All Office Users”

This group will receive Office apps and hardening policies

Download ACSC Policy Template

Navigate to: https://github.com/microsoft/Microsoft365DSC/blob/master/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceConfigurationPolicyWindows10/1-IntuneDeviceConfigurationPolicyWindows10-Example.ps1

Download the ACSC Office Hardening Guidelines JSON file¹⁰

Import to Intune

Navigate to: Devices > Windows > Configuration profiles > Create

Select: Import Policy

Name: “ACSC Office Hardening – All Macros Disabled”

Browse for the downloaded JSON file

Click Save¹¹

Import OLE Prevention Script

Navigate to: Devices > Scripts > Add > Windows 10 and later

Name: “OLE Package Prevention”

Download script from: https://github.com/microsoft/Microsoft365DSC/blob/master/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceConfigurationPolicyWindows10/OfficeMacroHardening-PreventActivationofOLE.ps1[^1]

Configure:

Run script using logged-on credentials: Yes

Enforce script signature check: No

Run in 64-bit PowerShell: No¹²

Assign to: All Office Users group¹³

Assign the Policy

In the imported policy, go to Assignments

Included groups: Select “All Office Users”

Review + Save

Method 2: Manual Configuration Using Settings Catalog

If you prefer granular control, you can manually configure macro policies using Intune’s Settings Catalog.

Step-by-Step: Create Custom Macro Blocking Policy

Create New Settings Catalog Policy

Navigate to: Microsoft Intune admin center (intune.microsoft.com)

Go to: Devices > Configuration policies > Create > New Policy

Platform: Windows 10 and later

Profile type: Settings catalog

Name: “Office Macro Security – Disable All Macros”

Configure Settings for Each Office Application

The following settings must be configured for each Office application (Word, Excel, PowerPoint, Access, Outlook):¹⁴ ¹⁵

Microsoft Office 2016 (Global Settings)

Setting Path	Configuration
Microsoft Office 2016 > Security Settings
Automation Security	Enabled
– Set Automation Security level	Disable macros by default
Disable VBA for Office applications	Enabled
Security Settings > Trust Center
Allow mix of policy and user locations	Disabled

Microsoft Excel 2016

Setting Path	Configuration
Excel Options > Security > Trust Center
VBA Macro Notification Settings	Enabled
– VBA Macro Notification	Disable all without notification
Block macros from running in Office files from the Internet	Enabled
Trust access to Visual Basic Project	Disabled
Turn off trusted documents	Enabled
Turn off Trusted Documents on the network	Enabled
Excel Options > Security > Trust Center > Trusted Locations
Allow Trusted Locations on the network	Disabled
Disable all trusted locations	Enabled

Microsoft Word 2016

Setting Path	Configuration
Word Options > Security > Trust Center
VBA Macro Notification Settings	Enabled
– VBA Macro Notification	Disable all without notification
Block macros from running in Office files from the Internet	Enabled
Trust access to Visual Basic Project	Disabled
Turn off trusted documents	Enabled
Turn off Trusted Documents on the network	Enabled
Word Options > Security > Trust Center > Trusted Locations
Allow Trusted Locations on the network	Disabled
Disable all trusted locations	Enabled

Microsoft PowerPoint 2016

Setting Path	Configuration
PowerPoint Options > Security > Trust Center
VBA Macro Notification Settings	Enabled
– VBA Macro Notification	Disable all without notification
Block macros from running in Office files from the Internet	Enabled
Trust access to Visual Basic Project	Disabled
Turn off trusted documents	Enabled
Turn off Trusted Documents on the network	Enabled
PowerPoint Options > Security > Trust Center > Trusted Locations
Allow Trusted Locations on the network	Disabled
Disable all trusted locations	Enabled

Microsoft Access 2016

Setting Path	Configuration
Application Settings > Security > Trust Center
VBA Macro Notification Settings	Enabled
– VBA Macro Notification	Disable all without notification
Block macros from running in Office files from the Internet	Enabled
Turn off trusted documents	Enabled
Turn off Trusted Documents on the network	Enabled
Application Settings > Security > Trust Center > Trusted Locations
Allow Trusted Locations on the network	Disabled
Disable all trusted locations	Enabled

Microsoft Outlook 2016

Setting Path	Configuration
Security > Trust Center
Apply macro security settings to macros, add-ins and additional actions	Enabled
Security settings for macros	Enabled
– Security Level	Never warn, disable all

Assign the Policy

Assignments: Select your target user or device groups

Review + Create

Attack Surface Reduction (ASR) Rules for Essential Eight Compliance

Can ASR Rules Meet Essential Eight Requirements?

Yes, partially. Windows Attack Surface Reduction rules provide critical additional protections that complement macro blocking policies and help meet Essential Eight requirements.¹⁶ ¹⁷

ASR rules are included with Microsoft 365 Business Premium via Microsoft Defender for Business and can be deployed through Intune.¹⁸

Essential Eight-Relevant ASR Rules

The following ASR rules directly support Essential Eight mitigation strategies:¹⁹ ²⁰

ASR Rules for Office Macro Security

ASR Rule Name	GUID	Essential Eight Alignment	ISM Control
Block Win32 API calls from Office macros	92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b	✅ Required – Prevents macros from making dangerous system calls	ISM-1673
Block Office applications from creating child processes	d4f940ab-401b-4efc-aadc-ad5f3c50688a	✅ Recommended – Prevents macro-launched executables	User App Hardening
Block Office applications from creating executable content	3b576869-a4ec-4529-8536-b80a7769e899	✅ Recommended – Prevents macros from creating .exe files	User App Hardening
Block Office applications from injecting code into other processes	75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84	✅ Recommended – Prevents code injection attacks	User App Hardening
Block Office communication applications from creating child processes	26190899-1602-49e8-8b27-eb1d0a1ce869	✅ Recommended – Protects Outlook from exploitation	User App Hardening

Step-by-Step: Deploy ASR Rules via Intune

Detailed Implementation Steps:²¹

Navigate to ASR Policy Creation

Go to: Endpoint security > Attack surface reduction

Click: Create Policy²²

Configure Policy Basics

Platform: Windows 10, Windows 11, and Windows Server

Profile: Attack Surface Reduction Rules

Name: “Essential Eight – Office ASR Rules”

Description: “ASR rules aligned with ACSC Essential Eight requirements”

Configure ASR Rules

For each of the Essential Eight-relevant rules, configure the mode:²³

ASR Rule	Initial Mode	Production Mode
Block Win32 API calls from Office macros	Audit	Block (Required for ISM-1673)
Block Office applications from creating child processes	Audit	Block
Block Office applications from creating executable content	Audit	Block
Block Office applications from injecting code into other processes	Audit	Block
Block Office communication applications from creating child processes	Audit	Block

Mode Definitions:

Not Configured (0): Rule is disabled

Block (1): Rule is enforced

Audit (2): Rule logs events but doesn’t block

Warn (6): User receives warning but can bypass²⁴

Assign the Policy

Assignments:

Included groups: “All Windows Devices” or specific pilot groups

Excluded groups: Any test or exception groups

Click Next and Create

Testing and Deployment Strategy

⚠️ Important: ASR rules should be thoroughly tested before full enforcement:²⁵

Week 1-2: Deploy all rules in Audit mode

Week 3-4: Review Microsoft Defender for Endpoint logs for blocked activity

Week 5+: Switch rules to Block mode for full enforcement

Monitor for false positives and create exclusions as needed

Alternative: Manual ASR Deployment via Graph API

For advanced deployments, you can use Microsoft Graph API to deploy ASR policies programmatically:²⁶

Step-by-Step:

Navigate to Graph Explorer

Go to: https://developer.microsoft.com/en-us/graph/graph-explorer

Grant necessary permissions

Create POST Request

Method: POST

Endpoint: https://graph.microsoft.com/beta/deviceManagement/templates/0e237410-1367-4844-bd7f-15fb0f08943b/createInstance²⁷

Schema: Beta

Use ACSC Windows Hardening JSON

Download the JSON template from: https://github.com/microsoft/Microsoft365DSC/tree/master/Modules/Microsoft365DSC/Examples[^1]

Copy the JSON content and paste into the request body

Modify the policy name if needed

Execute the POST request

Assign Policy

Use Graph API or Intune portal to assign the created policy to your device groups

Monitoring and Validation

Verifying Policy Application

After deploying policies, verify they’re working correctly:

Check Policy Status in Intune

Navigate to: Devices > Monitor > Device configuration

Review deployment status for your macro policies

Check for any errors or conflicts²⁸

Test on End-User Device

Have a test user attempt to open a macro-enabled Office file

Verify that macros are blocked and no prompt appears

Check that Trust Center settings are grayed out (not user-modifiable)

Review Microsoft Defender for Endpoint

If you have Defender for Endpoint (included in Business Premium), monitor for macro-related events:²⁹

Endpoint behavioral sensors collect macro execution attempts

Cloud security analytics translate signals into insights

Threat intelligence identifies attacker techniques

Review alerts in the Microsoft 365 Defender portal (security.microsoft.com)

Validate ASR Rule Effectiveness

Navigate to: Microsoft 365 Defender portal > Reports > Attack surface reduction rules

Review triggered events for each ASR rule

Identify false positives and create exclusions if needed

Exception Management: Allowing Trusted Macros

Some users may have legitimate business requirements for macros. The Essential Eight framework accommodates this through Trusted Publishers or Trusted Locations.³⁰

Option 1: Trusted Publishers (Recommended)

Trusted Publishers use digital signatures to verify macro authenticity. This is the preferred method for Essential Eight compliance.³¹

Step-by-Step: Enable Trusted Publishers

Create Exception Group

Create Azure AD group: “Office Macro Users – Trusted Publishers”

Add users with legitimate macro needs³²

Download Trusted Publisher Policy

Download: https://github.com/microsoft/Microsoft365DSC/blob/master/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceConfigurationPolicyWindows10/2-IntuneDeviceConfigurationPolicyWindows10-Example.ps1[^1]

Import to Intune

Navigate to: Devices > Configuration profiles > Import Policy

Browse for downloaded JSON file

Name: “ACSC Office – Trusted Publishers Enabled”

Assign to: “Office Macro Users – Trusted Publishers” group³³

Exclude from Macro Blocking Policy

Edit your “All Macros Disabled” policy

Go to Assignments

Excluded groups: Add “Office Macro Users – Trusted Publishers”³⁴

Deploy Trusted Publisher Certificates

For each approved macro publisher:³⁵

Navigate to: Devices > Configuration profiles > Create

Profile type: Trusted certificate

Upload the publisher’s code-signing certificate

Assign to: “Office Macro Users – Trusted Publishers” group

Certificate Requirements:³⁶

Must use V3 signature scheme (more secure)

Certificate must be from a trusted Certificate Authority

Each publisher should have a separate policy for easier management

Macro Vetting Process

Before signing any macros:³⁷

Execute macros on an isolated test device with ACSC hardening applied

Verify no malicious behavior

Use Microsoft Defender Antivirus scanning (automatic with ACSC policies)

Consider third-party macro scanning tools for additional validation

Comprehensive Policy Summary Table

Configuration Profile Settings

Policy Category	Setting	Configuration	Purpose
VBA Macro Execution	Disable VBA for Office applications	Enabled	Disables VBA engine globally³⁸
	VBA Macro Notification Settings	Disable all without notification	Blocks all macros silently³⁹
Internet Macros	Block macros from Internet sources	Enabled	Prevents macros from untrusted sources⁴⁰
Automation Security	Automation Security Level	Disable macros by default	Prevents COM automation attacks⁴¹
Trust Center	Turn off trusted documents	Enabled	Prevents trust bypass via document trust⁴²
	Turn off Trusted Documents on network	Enabled	Prevents network trust bypass⁴³
	Disable all trusted locations	Enabled	Blocks trusted location bypass⁴⁴
	Allow mix of policy and user locations	Disabled	Prevents user-defined trust⁴⁵
	Trust access to VBA Project	Disabled	Blocks programmatic VBA access⁴⁶
Macro Scanning	Macro Runtime Scan Scope	Enable for all documents	Enables Defender AV scanning⁴⁷

Attack Surface Reduction Rules

ASR Rule	GUID	Mode	Purpose
Block Win32 API calls from Office macros	92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b	Block	Prevents dangerous API calls (ISM-1673)⁴⁸
Block Office apps creating child processes	d4f940ab-401b-4efc-aadc-ad5f3c50688a	Block	Prevents macro-launched executables⁴⁹
Block Office apps creating executable content	3b576869-a4ec-4529-8536-b80a7769e899	Block	Prevents .exe creation⁵⁰
Block Office apps injecting code	75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84	Block	Prevents process injection⁵¹
Block Outlook creating child processes	26190899-1602-49e8-8b27-eb1d0a1ce869	Block	Protects email client⁵²

Key Limitations and Considerations

Microsoft 365 Business Premium Constraints

Testing Recommendations

Pilot Deployment: Test policies with a small group before organization-wide rollout⁵³

Audit Mode First: Deploy ASR rules in Audit mode for 2-4 weeks before enforcement⁵⁴

User Communication: Notify users about macro blocking to reduce helpdesk calls

Exception Process: Establish clear process for macro exception requests

Regular Review: Validate Trusted Publisher certificates annually⁵⁵

Complete Implementation Checklist

Phase 1: Preparation

Create Azure AD security groups (“All Office Users”, “Macro Exception Users”)

Document current macro usage across organization

Establish exception approval process

Communicate changes to end users

Phase 2: Baseline Policy Deployment

Download ACSC Office Hardening policy from GitHub

Import policy to Intune Configuration Profiles

Download and import OLE prevention PowerShell script

Assign policies to pilot group

Test policy application on pilot devices

Phase 3: ASR Rule Deployment

Create ASR policy in Endpoint Security

Configure 5 Office-related ASR rules in Audit mode

Assign to pilot group

Monitor events in Microsoft 365 Defender for 2-4 weeks

Phase 4: Production Rollout

Review audit logs for false positives

Create ASR exclusions if needed

Switch ASR rules to Block mode

Expand deployment to all users

Configure Trusted Publisher policies for exception users

Phase 5: Ongoing Management

Monitor Defender for Endpoint alerts

Review exception requests quarterly

Validate Trusted Publisher certificates annually

Update policies as new ISM controls are released

Conclusion

Meeting the Essential Eight requirements for disabling Office macros in a cloud-only environment with Microsoft 365 Business Premium is achievable through:

Intune Configuration Profiles: Disable macros at the Office application level using Settings Catalog or imported administrative templates

Attack Surface Reduction Rules: Deploy complementary ASR rules to block macro-related attack behaviors

Exception Management: Use Trusted Publishers for users with legitimate macro needs

Continuous Monitoring: Leverage Microsoft Defender for Endpoint for visibility and alerting

While Office Cloud Policy Service has limitations with Business Premium, Intune Configuration Profiles provide full macro control capabilities needed for Essential Eight compliance. ASR rules successfully accommodate Essential Eight requirements by providing the necessary technical controls, particularly ISM-1673 (blocking Win32 API calls from macros).

The combination of these approaches provides defense-in-depth aligned with ACSC guidance and enables organizations to achieve Essential Eight Maturity Level 3 for macro security.

References

Microsoft Official Documentation

Microsoft Learn – Essential Eight Guidance

Essential Eight configure Microsoft Office macro settings

Full URL: https://learn.microsoft.com/en-us/compliance/anz/e8-macro

Site: Microsoft Learn

Microsoft Learn – Essential Eight User Application Hardening

Essential Eight user application hardening

Full URL: https://learn.microsoft.com/en-us/compliance/anz/e8-app-harden

Site: Microsoft Learn

Microsoft Learn – Intune Office Policies

Policies for Microsoft 365 Apps – Microsoft Intune

Full URL: https://learn.microsoft.com/en-us/intune/intune-service/apps/app-office-policies

Site: Microsoft Learn

Microsoft Learn – Office Cloud Policy Service Overview

Overview of Cloud Policy service for Microsoft 365

Full URL: https://learn.microsoft.com/en-us/microsoft-365-apps/admin-center/overview-cloud-policy

Site: Microsoft Learn

Microsoft Learn – Attack Surface Reduction Rules Reference

Attack surface reduction rules reference – Microsoft Defender for Endpoint

Full URL: https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference

Site: Microsoft Learn

Microsoft Learn – Manage ASR with Intune

Manage attack surface reduction settings with Microsoft Intune

Full URL: https://learn.microsoft.com/en-us/intune/intune-service/protect/endpoint-security-asr-policy

Site: Microsoft Learn

Microsoft Intune Admin Center

Microsoft Intune admin center

Full URL: https://intune.microsoft.com

Site: Microsoft Intune

Australian Cyber Security Centre (ACSC) Guidance

Cyber.gov.au – Restricting Microsoft Office Macros

Restricting Microsoft Office macros

Full URL: https://www.cyber.gov.au/business-government/protecting-devices-systems/hardening-systems-applications/system-hardening/restricting-microsoft-office-macros

Site: Australian Cyber Security Centre (ACSC)

Cyber.gov.au – Guidelines for System Hardening

Guidelines for System Hardening

Full URL: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-system-hardening

Site: Australian Cyber Security Centre (ACSC)

Cyber.gov.au – Hardening Microsoft 365 and Office

Hardening Microsoft 365, Office 2021, Office 2019, and Office 2016

Full URL: https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-hardening/hardening-microsoft-365-office-2021-office-2019-and-office-2016

Site: Australian Cyber Security Centre (ACSC)

Cyber.gov.au – Microsoft Office Macro Security

Microsoft Office Macro Security

Full URL: https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-hardening/restricting-microsoft-office-macros

Site: Australian Cyber Security Centre (ACSC)

Cyber.gov.au – Essential Eight Assessment Process Guide

Essential Eight assessment process guide

Full URL: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-assessment-process-guide

Site: Australian Cyber Security Centre (ACSC)

Cyber.gov.au – Technical Example: Configure Macro Settings

Technical example: Configure macro settings

Full URL: https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-hardening/technical-example-configure-macro-settings

Site: Australian Cyber Security Centre (ACSC)

ASD Blueprint for Secure Cloud

ASD Blueprint – Office Hardening All Macros Disabled

ASD Office hardening – all macros disabled

Full URL: https://blueprint.asd.gov.au/configuration/intune/devices/configuration-policies/asd-office-hardening-all-macros-disabled/

Site: ASD’s Blueprint for Secure Cloud

ASD Blueprint – Microsoft Office Macro Hardening Design

Microsoft Office macro hardening

Full URL: https://blueprint.asd.gov.au/design/endpoints/windows/security/microsoft-office-macro-hardening/

Site: ASD’s Blueprint for Secure Cloud

ASD Blueprint – Restrict Microsoft Office Macros

Restrict Microsoft Office macros

Full URL: https://blueprint.asd.gov.au/security-and-governance/essential-eight/restrict-microsoft-office-macros/

Site: ASD’s Blueprint for Secure Cloud

GitHub Repositories and Templates

Microsoft GitHub – ACSC Office Hardening Guidelines

ACSC Office Hardening Guidelines (JSON)

Full URL: https://github.com/microsoft/Microsoft365DSC/tree/master/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceConfigurationPolicyWindows10

Site: GitHub – Microsoft

Microsoft GitHub – OLE Prevention PowerShell Script

OfficeMacroHardening-PreventActivationofOLE.ps1

Full URL: https://github.com/microsoft/Microsoft365DSC/blob/master/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceConfigurationPolicyWindows10/OfficeMacroHardening-PreventActivationofOLE.ps1

Site: GitHub – Microsoft

Microsoft GitHub – ACSC Windows Hardening ASR Policy

ACSC Windows Hardening Guidelines – Attack Surface Reduction policy (JSON)

Full URL: https://github.com/microsoft/Microsoft365DSC/blob/master/Modules/Microsoft365DSC/Examples/Resources/IntuneEndpointProtectionPolicy/1-IntuneEndpointProtectionPolicy-Example.ps1

Site: GitHub – Microsoft

GitHub – ACSC Essential 8 Office Hardening Module

benjamin-robertson/acsc_e8_office_hardening

Full URL: https://github.com/benjamin-robertson/acsc_e8_office_hardening

Site: GitHub – Community

Community and Technical Resources

Reddit – Office 365 Community Discussion

365 Business Premium – GPO or config.office.com

Full URL: https://www.reddit.com/r/Office365/comments/vj3elj/365_business_premium_gpo_or_configofficecom/

Site: Reddit – r/Office365

Practical365 – Office Cloud Policy Service

Block Macro Execution with Office Cloud Policy Service (OCPS)

Full URL: https://practical365.com/block-macro-execution-office-cloud-policy-service/

Site: Practical365

Mr T-Bone’s Blog – Intune Office Policies

How to use policies for Office apps in Intune

Full URL: https://www.tbone.se/2024/01/18/how-to-use-policies-for-office-apps-in-intune/

Site: Mr T-Bone´s Blog

Helge Klein – Blocking Office Macros

Blocking Office Macros, Managing Windows & macOS via Intune

Full URL: https://helgeklein.com/blog/blocking-office-macros-managing-windows-macos-via-intune/

Site: Helge Klein

T-Minus365 – Deploy ASR Rules

Deploy Attack Surface Reduction Rules from Microsoft Intune

Full URL: https://tminus365.com/deploy-attack-surface-reduction-rules-from-microsoft-intune/

Site: T-Minus365

Azure with Tom – Implementing ASR Policies

Implementing Attack Surface Reduction Policies

Full URL: https://azurewithtom.com/implementing-attack-surface-reduction-policies/

Site: Azure with Tom

Additional Resources

Microsoft Graph API – Graph Explorer

Graph Explorer for API Testing

Full URL: https://developer.microsoft.com/en-us/graph/graph-explorer

Site: Microsoft Developer

Microsoft 365 Defender Portal

Microsoft 365 Defender Security Portal

Full URL: https://security.microsoft.com

Site: Microsoft 365 Defender

CISA – Disable VBA Macros Guidance

Disable Visual Basic for Applications (VBA) Macros (CM0056)

Full URL: https://www.cisa.gov/resources-tools/resources/disable-visual-basic-applications-vba-macros-cm0056

Site: Cybersecurity and Infrastructure Security Agency (CISA)

ASD OWA settings check script

I’ve taken the Exchange Online Outlook web app policies settings recommendations from the ASD Blueprint for Secure Cloud and created an online JSON settings file here:

https://github.com/directorcia/bp/blob/main/ASD/Exchange-Online/Roles/owamail.json

I’ve then created a PowerShell script here:

https://github.com/directorcia/Office365/blob/master/asd-owamail-get.ps1

with documentation here:

https://github.com/directorcia/Office365/wiki/ASD-OWA-Mailbox-Configuration-Check

that reads the online JSON file (or uses a local version if you want to use that) and compares the recommended ASD settings to those in your own Exchange Online environment. Note, the script makes NO CHANGES to your environment, it simply reads the current settings.

It then produces the console output you see above and a HTML report like this:

You can refer to this page I also created:

https://github.com/directorcia/bp/wiki/Exchange-Online-OWA-Mailbox-Security-Controls

as to why these settings are important to the security of your M365 environment.

Look out for more scripts like this coming soon. I welcome any suggestion about improving this.

ASD Mailflow settings check script

I’ve taken the Exchange Online Mail Flow settings recommendations from the ASD Blueprint for Secure Cloud and created an online JSON settings file here:

https://github.com/directorcia/bp/blob/main/ASD/Exchange-Online/Settings/mailflow.json

I’ve then created a PowerShell script here:

https://github.com/directorcia/Office365/blob/master/asd-mailflow-get.ps1

with documentation here:

https://github.com/directorcia/Office365/wiki/ASD-Mail-Flow-Configuration-Check

It then produces the console output you see above and a HTML report like this:

You can refer to this page I also created:

https://github.com/directorcia/bp/wiki/Exchange-Online-Mail-Flow-Security-Controls

as to why these settings are important to the security of your M365 environment.

Look out for more scripts like this coming soon. I welcome any suggestion about improving this.

ASD Remote domains check script

I’ve taken the Exchange Online Remote Domains settings recommendations from the ASD Blueprint for Secure Cloud and created an online JSON settings file here:

https://github.com/directorcia/bp/blob/main/ASD/Exchange-Online/Mail-flow/remote-domains.json

I’ve then created a PowerShell script here:

https://github.com/directorcia/Office365/blob/master/asd-remotedomain-get.ps1

with documentation here:

https://github.com/directorcia/Office365/wiki/ASD-Remote-Domain-Configuration-Check

It then produces the console output you see above and a HTML report like this:

You can refer to this page I also created:

https://github.com/directorcia/bp/wiki/Exchange-Online-Remote-Domain-Security-Controls

as to why these settings are important to the security of your M365 environment.

Look out for more scripts like this coming soon. I welcome any suggestion about improving this.

CIAOPS Need to Know Microsoft 365 Webinar – November

laptop-eyes-technology-computer_thumb

Join me for the free monthly CIAOPS Need to Know webinar. Along with all the Microsoft Cloud news we’ll be taking a look at my recommended security framework for Microsoft 365 environments.

*** BONUS CONTENT ***

As an added incentive to register for this webinar, I’ll send everyone that does a free copy of my M365 Security Framework Comparison analysis report. Stay tuned to your inbox once you have registered to help you secure your Microsoft 365 environment better.

Shortly after registering you should receive an automated email from Microsoft Teams confirming your registration, including all the event details as well as a calendar invite.

You can register for the regular monthly webinar here:

November Registrations

(If you are having issues with the above link copy and paste – https://bit.ly/n2k2511)

The details are:

CIAOPS Need to Know Webinar – November 2025
Friday 28th of November 2025
11.00am – 12.00am Sydney Time

All sessions are recorded and posted to the CIAOPS Academy.

The CIAOPS Need to Know Webinars are free to attend but if you want to receive the recording of the session you need to sign up as a CIAOPS patron which you can do here:

http://www.ciaopspatron.com

or purchase them individually at:

http://www.ciaopsacademy.com/

Also feel free at any stage to email me directly via director@ciaops.com with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session and I look forward to seeing you there.

Configuring Exchange Online Mailbox Logging – Best Practices and Step-by-Step Guide

Important: Mailbox Auditing is Already ON by Default

Good news! Since 2019, Microsoft automatically enables mailbox auditing for all Exchange Online organizations. This means logging is already active for your mailboxes without requiring any manual configuration.

Should You Enable All Available Logging?

No, you should NOT enable all available logging. Here’s why:

Microsoft’s Recommendation: Use the default audit configuration, which Microsoft automatically manages and updates
Storage Impact: Audit logs consume storage space in each mailbox’s Recoverable Items folder (counts against the 30GB default limit)
Performance Consideration: Excessive logging can impact mailbox performance
Automatic Updates: Microsoft automatically adds new important actions to the default audit configuration as they’re released

What’s Logged by Default

The default configuration logs these critical actions:

Action	Admin	Delegate	Owner
Create (Calendar items)	✓	✓
HardDelete	✓	✓	✓
MoveToDeletedItems	✓	✓	✓
SendAs	✓	✓
SendOnBehalf	✓	✓
SoftDelete	✓	✓	✓
Update	✓	✓	✓
UpdateFolderPermissions	✓	✓	✓
UpdateInboxRules	✓	✓	✓

Step-by-Step Configuration Guide

Method 1: PowerShell (Recommended)

Step 1: Connect to Exchange Online PowerShell

Install-Module -Name ExchangeOnlineManagement
Connect-ExchangeOnline -UserPrincipalName admin@yourdomain.com

Step 2: Verify Organization-Wide Auditing is Enabled

Get-OrganizationConfig | Format-List AuditDisabled

Result should show False (meaning auditing is enabled)

Step 3: Check Current Mailbox Audit Status

# For a specific mailbox
Get-Mailbox -Identity "user@domain.com" | Format-List Name,AuditEnabled,DefaultAuditSet

# For all mailboxes
Get-Mailbox -ResultSize Unlimited | Format-Table Name,AuditEnabled,DefaultAuditSet

Step 4: Use Default Settings (Recommended)

# Restore default auditing for a mailbox that was customized
Set-Mailbox -Identity "user@domain.com" -DefaultAuditSet Admin,Delegate,Owner

Step 5: Only If Necessary – Customize Specific Actions

# Example: Add MailboxLogin tracking for owner actions
Set-Mailbox -Identity "user@domain.com" -AuditOwner @{Add="MailboxLogin"}

# Example: Set specific admin actions (overwrites defaults - not recommended)
Set-Mailbox -Identity "user@domain.com" -AuditAdmin MessageBind,FolderBind,HardDelete

Step 6: Configure Retention Period

# Default is 90 days, can extend up to 365 days (E5 license required for >180 days)
Set-Mailbox -Identity "user@domain.com" -AuditLogAgeLimit 180

# Apply to all mailboxes
Get-Mailbox -ResultSize Unlimited | Set-Mailbox -AuditLogAgeLimit 180

Step 7: Verify Configuration

# Check what actions are being audited
Get-Mailbox -Identity "user@domain.com" | Select-Object -ExpandProperty AuditAdmin
Get-Mailbox -Identity "user@domain.com" | Select-Object -ExpandProperty AuditDelegate
Get-Mailbox -Identity "user@domain.com" | Select-Object -ExpandProperty AuditOwner

Method 2: Microsoft 365 Admin Center (Limited Options)

Note: The GUI provides limited mailbox audit configuration options. Most settings require PowerShell.

To Search Audit Logs via GUI:

Navigate to Microsoft Purview compliance portal
Go to Audit in the left navigation
Ensure audit log search is turned on (banner will appear if it’s not)
Use the search interface to query audit logs
Filter by:
- Activities (e.g., “Mailbox activities”)
- Date range
- Users
- File, folder, or site
Export results as needed

To Export Mailbox Audit Logs via Classic EAC:

Navigate to the Classic Exchange Admin Center
Go to Compliance Management → Auditing
Click “Export mailbox audit logs”
Specify date range and recipients
Submit the export request

Best Practices Summary

Keep default auditing enabled – It’s already on and Microsoft manages it
Don’t enable all actions – Avoid FolderBind and MessageBind for owners (creates excessive logs)
Retention considerations:
- Standard licenses: 180 days retention
- E5 licenses: 1 year retention by default
- 10-year retention available with additional licensing
Monitor storage: Check Recoverable Items folder size periodically
Use PowerShell for configuration: GUI options are limited
Test before mass deployment: If customizing, test on pilot mailboxes first

When to Customize Auditing

Only customize mailbox auditing if you have specific compliance requirements such as:

Regulatory requirements for specific action tracking
Security investigation needs
Tracking mailbox login events (MailboxLogin)
Monitoring specific delegate activities

Understanding FolderBind and MessageBind Logging for Mailbox Owners

What FolderBind and MessageBind Actually Log

FolderBind

What it logs: Every time a mailbox folder is accessed or opened

Records when someone navigates to or opens any folder (Inbox, Sent Items, Deleted Items, custom folders, etc.)
Captures the folder GUID and path
Logs the timestamp, client IP address, and application used
For delegates, entries are consolidated (one record per folder per 24-hour period to reduce volume)
Important: Not consolidated for owners – every folder access creates a separate log entry

MessageBind

What it logs: Every time a message is viewed in the preview pane or opened

Records when someone reads or opens an individual email message
Captures the message subject and ItemID
Logs whether the message was previewed or fully opened
Records the client application and IP address
Note: For E5 licensed users, this is replaced by the more sophisticated MailItemsAccessed action

Why These Actions Are NOT Enabled for Owners by Default

1. Massive Log Volume

The Reality: A typical user might:

Access 20-50 folders per day during normal email activity
View 50-200+ messages daily
Generate thousands of audit entries weekly
Create up to 100,000+ audit entries annually per mailbox

2. Storage Impact

Audit logs are stored in the mailbox’s Recoverable Items folder (Audits subfolder)
Count against the 30GB default quota (or 100GB with holds)
Maximum 3 million items can be stored in the Audits subfolder
Heavy users could hit these limits within months

3. Performance Considerations

Every folder navigation and message view triggers a write operation
Can impact mailbox performance, especially for heavy email users
Increases server-side processing load
May slow down email client responsiveness

4. Signal-to-Noise Ratio

99.9% of owner FolderBind/MessageBind events are legitimate daily activity
Makes it extremely difficult to identify suspicious activity
Investigation tools often filter out FolderBind by default because of the noise

Legitimate Scenarios for Enabling FolderBind/MessageBind for Owners

1. Insider Threat Detection

Use Case: Monitoring high-risk individuals or sensitive roles

Executives with access to M&A information
Employees on performance improvement plans or termination notice
Users with access to intellectual property or trade secrets
Detecting unusual access patterns (e.g., accessing old emails before resignation)

2. Compliance Requirements

Use Case: Specific regulatory mandates

Financial services requiring complete audit trails (SEC, FINRA)
Healthcare organizations tracking PHI access (HIPAA)
Government contractors with security clearance requirements
Legal hold scenarios requiring complete activity documentation

3. Forensic Investigations

Use Case: Post-incident analysis

Determining if a compromised account’s emails were actually read
Investigating data exfiltration attempts
Proving or disproving unauthorized access claims
Building timeline of activities during security incidents

4. Privileged Account Monitoring

Use Case: Enhanced monitoring for administrative accounts

Service accounts that shouldn’t have regular email activity
Shared mailboxes with sensitive information
Discovery mailboxes used for legal searches
Executive assistant mailboxes with delegated access

Best Practices If You Enable FolderBind/MessageBind for Owners

1. Selective Implementation

# Enable only for specific high-risk mailboxes
Set-Mailbox -Identity "CEO@company.com" -AuditOwner @{Add="FolderBind","MessageBind"}

# Create a list of VIP users
$VIPUsers = "CEO@company.com","CFO@company.com","Legal@company.com"
foreach ($user in $VIPUsers) {
    Set-Mailbox -Identity $user -AuditOwner @{Add="FolderBind","MessageBind"}
}

2. Increase Retention Period

# Extend audit log retention to accommodate increased volume
Set-Mailbox -Identity "CEO@company.com" -AuditLogAgeLimit 365

3. Monitor Storage Impact

# Check audit folder size regularly
Get-MailboxFolderStatistics -Identity "CEO@company.com" -FolderScope RecoverableItems | 
    Where-Object {$_.Name -eq 'Audits'} | 
    Format-List FolderPath,FolderSize,ItemsInFolder

4. Implement Automated Analysis

Export logs to SIEM systems for pattern analysis
Set up alerts for unusual access patterns
Use machine learning to baseline normal behavior
Focus on deviations from typical patterns

5. Consider Alternative Solutions

For E5 Users: Use MailItemsAccessed instead (more intelligent, less noisy)
Microsoft Defender: Use insider risk management policies
Third-party tools: Consider specialized insider threat detection solutions
DLP policies: Focus on preventing data loss rather than tracking all access

The MailItemsAccessed Alternative (E5 Licenses)

For organizations with E5 licenses, MailItemsAccessed is a superior alternative that:

Intelligently aggregates similar activities (reduces noise by 80-90%)
Provides both sync and bind operation tracking
Includes deduplication (removes duplicate entries within 1-hour windows)
Records InternetMessageId for precise message tracking
Better suited for forensic investigations
Automatically enabled for E5 users

Summary Recommendation

Enable FolderBind/MessageBind for owners ONLY when:

You have specific compliance or security requirements
Monitoring high-risk individuals or during investigations
You have the resources to analyze the massive data volume
Storage and performance impacts have been evaluated
You’ve implemented automated analysis tools

Otherwise: Stick with the default configuration and use alternative methods like DLP policies, insider risk management, and the MailItemsAccessed action (for E5 users) for more effective security monitoring.

Implementing a Phased Rollout of Conditional Access Policies Requiring Device Compliance in Microsoft 365

Overview

Implementing Conditional Access policies requiring device compliance in Microsoft 365 requires careful planning and a phased approach to minimize disruption while maintaining security. This comprehensive guide provides step-by-step instructions specifically tailored for small businesses.

1. Prerequisites and Initial Setup

Required Licenses

Microsoft Entra ID P1 or P2 – Required for Conditional Access
Microsoft Intune – Required for device compliance management
Microsoft 365 Business Premium or higher for small businesses

Essential Preparations

Configure Emergency Access Accounts
- Create at least two emergency access (break-glass) accounts
- Exclude these accounts from ALL Conditional Access policies
- Store credentials securely and separately
Create Device Compliance Policies First
- Define minimum OS version requirements
- Set encryption requirements
- Configure password/PIN requirements
- Establish jailbreak/root detection settings
Enable User Registration for MFA
- Allow users to register authentication methods before enforcing policies
- Communicate registration requirements to all users

2. Phased Rollout Strategy

Phase 1: Foundation (Weeks 1-2)

Objective: Establish baseline security and prepare infrastructure

Create policies in Report-Only Mode
Block legacy authentication protocols
Secure the MFA registration page
Target privileged accounts first with phishing-resistant MFA

Phase 2: Pilot Testing (Weeks 2-4)

Objective: Test with limited user groups

Pilot Group Selection

Start with 5-10% of your organization
Include IT staff and willing early adopters
Avoid executives and VIPs initially
Ensure representation from different departments

Creating the Policy in Report-Only Mode

Navigate to Microsoft Entra admin center → Conditional Access → Policies
Create new policy with these settings:
- Name: “Require Device Compliance – Pilot”
- Users: Select pilot group
- Cloud apps: Start with non-critical apps
- Grant: Require device to be marked as compliant
- Enable policy: Report-only

Phase 3: Gradual Expansion (Weeks 4-8)

Objective: Progressively include more users and applications

Automated Phased Rollout Approach

If using the Conditional Access Optimization Agent (requires Microsoft Security Copilot):

The agent automatically creates a 5-phase rollout plan
Groups are assigned based on risk and impact analysis
Automatic progression between phases based on success metrics
Built-in safeguards pause rollout if sign-in success rate drops below 90%

Manual Phased Rollout Approach

Phase 3a: Add 25% more users (low-risk departments)
Phase 3b: Add another 25% (medium-risk departments)
Phase 3c: Add remaining standard users
Phase 3d: Include executives and VIPs
Phase 3e: Apply to all cloud applications

Phase 4: Full Deployment (Week 8+)

Switch policy from Report-only to On
Monitor for 2 weeks before removing report-only policies
Clean up redundant or test policies

3. Monitoring Strategies

Real-Time Monitoring Tools

A. Sign-in Logs Analysis

Navigate to Microsoft Entra admin center → Monitoring & health → Sign-in logs
Filter by:
- Conditional Access status
- Failure reasons
- Affected users
Review the Report-only tab for policy impact without enforcement

B. Conditional Access Insights Workbook

Requires Azure Monitor subscription:

Provides aggregate view of policy impacts
Identifies potential issues before enforcement
Shows user impact analysis

C. Device Compliance Dashboard

Access via Intune admin center → Reports → Device compliance
Monitor:
- Compliance status by policy
- Non-compliant device trends
- Error patterns in compliance evaluation

Key Metrics to Track

Sign-in success rate: Should remain above 90%
Device compliance rate: Target 95%+ before full enforcement
Help desk tickets: Monitor for unusual spikes
User productivity impact: Track application access patterns

4. Rollback Procedures

Immediate Rollback Options

Option 1: Disable the Policy

Navigate to the Conditional Access policy
Change Enable policy from “On” to “Off”
Takes effect within minutes for new sign-ins

Option 2: Switch to Report-Only Mode

Edit the policy
Change Enable policy to “Report-only”
Maintains visibility while removing enforcement

Option 3: Exclude Affected Users/Groups

Edit policy → Assignments → Users
Under Exclude, add affected users or groups
Use sparingly and temporarily

Grace Period Configuration

Configure grace periods in Intune compliance policies:

Navigate to Intune admin center → Devices → Compliance policies
Edit policy → Actions for noncompliance
Set grace period (recommended: 3-7 days for initial rollout)
Users maintain access during grace period while fixing compliance issues

Recovery from Deleted Policies

Deleted policies can be recovered within 30 days
Access soft-deleted policies through Microsoft Entra admin center
Restore maintains original configuration and assignments

5. Best Practices and Recommendations

Communication Strategy

Pre-deployment: 2 weeks advance notice with requirements
During pilot: Weekly updates to pilot users
Rollout phases: 48-hour notice before including new groups
Post-deployment: Success confirmation and support resources

Testing Checklist

✓ Test with multiple device platforms (Windows, iOS, Android)
✓ Verify enrollment process for new devices
✓ Confirm excluded accounts remain accessible
✓ Test rollback procedures in development environment
✓ Validate help desk escalation procedures

Common Pitfalls to Avoid

Not excluding emergency accounts – Can result in complete lockout
Skipping report-only mode – Misses opportunity to identify issues
Moving too quickly between phases – Insufficient time to identify problems
Inadequate user communication – Leads to confusion and resistance
Not monitoring device check-in intervals – Compliance updates may be delayed

PowerShell Monitoring Example


# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Policy.Read.All"

# Get all Conditional Access policies
$policies = Get-MgIdentityConditionalAccessPolicy

# Filter for device compliance policies
$compliancePolicies = $policies | Where-Object { 
    $_.GrantControls.BuiltInControls -contains "compliantDevice" 
}

# Display policy status
$compliancePolicies | Format-Table DisplayName, State, CreatedDateTime

Implementing Risk-Based Conditional Access Policies for Small Business

Risk-based Conditional Access policies provide adaptive security that automatically adjusts authentication requirements based on the risk level of sign-ins and user behavior, helping you maintain an optimal balance between security and productivity.

Prerequisites and Licensing

Microsoft Entra ID P2 license required for risk-based policies (includes Identity Protection)
Microsoft 365 Business Premium includes Conditional Access features for small businesses
Users must be registered for Multi-Factor Authentication (MFA) before policy enforcement
Configure trusted network locations to reduce false positives

Step-by-Step Implementation Guide

Phase 1: Foundation Setup (Week 1)

Create Emergency Access Accounts
- Set up at least two break-glass accounts excluded from all policies
- These prevent complete lockout if policies are misconfigured
Start with Report-Only Mode
- Deploy all new policies in report-only mode first
- Monitor for at least 7-14 days to understand impact
- Review sign-in logs to identify potential issues

Phase 2: Sign-in Risk Policy Configuration

Navigate to Microsoft Entra admin center > Conditional Access
Create new policy: “Require MFA for risky sign-ins”
Configure settings:
- Users: Include all users, exclude emergency accounts
- Cloud apps: All cloud apps
- Conditions > Sign-in risk: Select Medium and High
- Grant: Require multi-factor authentication
- Session: Sign-in frequency – Every time
- Enable policy: Report-only (initially)

Phase 3: User Risk Policy Configuration

Create new policy: “Require password change for high-risk users”
Configure settings:
- Users: Include all users, exclude emergency accounts
- Cloud apps: All cloud apps
- Conditions > User risk: Select High
- Grant: Require password change + Require MFA
- Enable policy: Report-only (initially)

Microsoft’s Recommended Risk Levels for Small Business

Sign-in Risk: Require MFA for Medium and High risk levels
- Provides security without excessive user friction
- Allows self-remediation through MFA completion
User Risk: Require secure password change for High risk only
- Prevents account lockouts from overly aggressive policies
- Users can self-remediate compromised credentials

Balancing Security and Productivity

Enable Self-Remediation

Sign-in risks: Users complete MFA to prove identity and continue working
User risks: Users perform secure password change without admin intervention
Reduces helpdesk tickets and minimizes productivity disruption

Progressive Deployment Strategy

Pilot Group (Week 1-2)
- Start with IT staff and power users
- Monitor and gather feedback
- Adjust risk thresholds if needed
Phased Rollout (Week 3-4)
- Expand to departments gradually
- Provide user communication and training
- Document self-remediation procedures
Full Deployment (Week 5+)
- Switch policies from Report-only to On
- Monitor sign-in logs for blocked legitimate users
- Fine-tune based on real-world usage

PowerShell Implementation Example

Import-Module Microsoft.Graph.Identity.SignIns

# Create Sign-in Risk Policy
$signInRiskPolicy = @{
    displayName = "Require MFA for risky sign-ins"
    state = "enabledForReportingButNotEnforced"
    conditions = @{
        signInRiskLevels = @("high", "medium")
        applications = @{
            includeApplications = @("All")
        }
        users = @{
            includeUsers = @("All")
            excludeGroups = @("emergency-access-group-id")
        }
    }
    grantControls = @{
        operator = "OR"
        builtInControls = @("mfa")
    }
    sessionControls = @{
        signInFrequency = @{
            isEnabled = $true
            type = "everyTime"
        }
    }
}

New-MgIdentityConditionalAccessPolicy -BodyParameter $signInRiskPolicy

Key Monitoring and Success Metrics

Sign-in Success Rate: Should remain above 95% for legitimate users
MFA Prompt Frequency: Monitor for excessive prompting that impacts productivity
Risk Detection Accuracy: Review false positive rates weekly
Self-Remediation Rate: Track percentage of users successfully self-remediating
Helpdesk Tickets: Should decrease after initial deployment

Best Practices for Small Business

Start Conservative: Begin with High risk only, then add Medium risk after validation
Communicate Clearly: Provide user guides explaining why MFA prompts occur
Enable Modern Authentication: Block legacy authentication to prevent policy bypass
Regular Reviews: Analyze risk detection patterns monthly and adjust as needed
Document Exceptions: Maintain clear records of any policy exclusions
Test Rollback Procedures: Know how to quickly disable policies if issues arise